What is it?
PwnKit, discovered by the Qualys Research Team, is a local privilege escalation vulnerability affecting a widespread Linux component, Polkit’s pkexec.
Polkit’s pkexec is a tool originally intended to control the running of privileged processes. This vulnerability exploits this functionality to allow an unprivileged user on a Linux based system to escalate their access to the level of the root user.
What’s the risk/impact?
PwnKit requires authenticated user access to a system in order to exploit. Once this access is obtained, any standard user account can escalate to full root privileges on the system. This could lead to the gathering of confidential information, as well as retrieving the details of privileged accounts that could allow further access to an internal network.
Most alarmingly, this vulnerability is very simple to exploit. Below is a proof-of-concept developed by a SureCloud security consultant. It shows just how easily the PwnKit vulnerability can be used to escalate privileges on an Ubuntu system that is missing the necessary patch or mitigations.
Am I impacted?
PwnKit affects all versions of pkexec and it is installed by default on all major Linux distributions, including (but not limited to) Ubuntu, Debian, Fedora, RHEL and CentOS. If you are using a Linux distribution and have not patched or removed this package, it should be assumed that you are vulnerable.
Note: Polkit is also found within non-Linux operating systems such as Solaris and BSD, but their exploitability has not been fully investigated at the time of writing. However, it is noted that OpenBSD is not exploitable, because its kernel refuses to execve() a program if argc is 0.
How to identify?
Since this vulnerability affects almost all major distributions of Linux, it is essential that an organization identifies all assets that run a Linux based operating system. This vulnerability has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009 (commit c8c3d83, “Add a pkexec(1) command”).
There are several ways to identify which systems might be running Linux based operating systems within in your environment and products. This can be performed via:
- Asset inventories
- Network scanners: e.g. Tenable Nessus, Qualys, SureCloud Platform, or an nmap scan with the -O flag enabled for Operating System fingerprinting.
- Some Linux-based systems can be identified by their time to live values when sending a ping to each systems IP address. Linux systems have a default TTL value of 64.
Once Linux systems have been identified, each should be checked for the presence of the Polkit pkexec package within the “bin” directories.
This vulnerability is not exploitable remotely and requires an attacker to have local access to a vulnerable system, whether that be with valid user credentials or via a separate attack vector.
Exploitation of this vulnerability may also leave traces in the system logs. Either “The value for the SHELL variable was not found the /etc/shells file” or “The value for environment variable […] contains suspicious content” messages, may indicate exploitation.
Therefore, these log entries can be used for alerting, but keep in mind that it is possible to exploit the vulnerability without the above log entries being generated. Hence, patches and mitigations should be applied as soon as possible.
How to fix?
Given the breadth of the attack surface for PwnKit across most Linux-based systems, users should apply patches or mitigations for this vulnerability immediately. This vulnerability was reported to Linux vendors on November 18, 2021, following which patches have already been issued by Red Hat and Ubuntu.
Ubuntu has already pushed updates for PolicyKit to address this vulnerability in versions 14.04 and 16.04 ESM (extended security maintenance) as well as in more recent versions 18.04, 20.04, and 21.04. Users just need to run a standard system update and then reboot the system for the changes to take effect.
Red Hat has also released a security update for Polkit on Workstation and Enterprise products for supported architectures, as well as for extended life cycle support, TUS, and AUS.
We expect all other vendors to release patches for this vulnerability very shortly.
If no patches are available for your operating system, you can remove the SUID-bit from pkexec as a temporary mitigation. Please note that this change might affect your system in adverse ways, so apply this workaround with caution. It is also advised that regression testing of the system be done in order to ensure nothing critical has been broken as a result of the change.
Example SUID-bit command:
# chmod 0755 /usr/bin/pkexec