Issued: Monday, 31 January, 2022 |
Last Revision: Monday, 31 January, 2022 |
Product: |
|
Severity Level: |
Qualys discovered a local privilege escalation vulnerability in PolitKit's pkexec utility. This vulnerability can give root privileges to local user. PolitKit (PolicyKit) is a system-wide privilege control component used by Unix-like operating systems. Every major distribution of Linux includes the SUID-root program by default.
With polkit, non-privileged processes can communicate with privileged ones in an organized fashion. It is also possible to use the command pkexec to execute commands with elevated privileges along with the appropriate command (with root permissions).
Current versions of pkexec don't handle the calling parameter count clearly and end up trying to execute environment variables as commands. Thus, an attacker can exploit this by creating environment variables that pkexec will interpret as commands and execute arbitrary code. The attack has the potential to escalate local privileges given that unprivileged users can gain administrative rights on the target machine.
It should be noted that this vulnerability is trivially exploitable.
CVE/Vulnerability | Description | CVSS3.0 Score |
CVE-2021-4034 | Local Privilege Escalation in polkit's pkexec | 7.8 |
Table 1: Vulnerability details
CVE/Vulnerability | Affected Product(s) |
CVE-2021-4034 | Ubuntu, Debian, Fedora, CentOS and other Linux distributions likely vulnerable. Solaris and other Unix systems may also be vulnerable except to OpenBSD. |
Table 2: Vulnerable versions
If there are no patches or mitigation for the operating system used in your organization, removing the SUID-bit from PKexec can act as a temporary mitigation. For example:
# chmod 0755 /usr/bin/pkexec