Server room with computer racks showing local privilege escalation in Linux

All Linux Distributions Affected by 12 Year-Old PwnKit Local Privilege Escalation Bug Allowing an Attacker to Execute Commands as Root

Security researchers at Qualys discovered a 12-year-old local privilege escalation flaw that could allow an attacker to take over Linux computer systems.

Dubbed PwnKit, the memory corruption vulnerability (CVE-2021-4034) affects the polkit’s Set User ID (SUID) program pkexec, in its default configuration. Polkit (formerly PolicyKit) manages system-wide privileges and organizes communication between privileged and non-privileged processes.

Though not remotely exploitable, an unprivileged attacker could easily exploit the flaw to obtain full root privileges and execute commands with elevated privileges using the pkexec command.

12-year-old local privilege escalation vulnerability affects all Linux distributions

The local privilege escalation flaw was introduced in May 2009 as commit c8c3d83 with the message ‘Add a pkexec(1) command.'” Since then, the SUID root program comes installed by default on every major Linux distribution, including Ubuntu, Debian, Fedora, and CentOS. The researchers successfully demonstrated the proof-of-concept code to exploit these systems.

Although unreliable, system administrators can detect the exploitation of the local privilege escalation by checking their system logs.

“Yes, this exploitation technique leaves traces in the logs (either “The value for the SHELL variable was not found the /etc/shells file” or “The value for environment variable […] contains suspicious content”). However, please note that this vulnerability is also exploitable without leaving any traces in the logs.”

The memory corruption problem occurs when pkexec’s main() function processes the list of arguments provided and determines the program to execute. If the path is not absolute, it defaults to the PATH environment variable.

If the PATH variable exists and contains an executable program, the pointer to the directory name and the executable program is written out-of-bounds to envp[0]. The out-of-bounds error introduces security loopholes for an attacker to exploit the pkexec SUID program.

Combined with other vulnerabilities, including remote code execution (RCE), the flaw could turn into a handy tool for attackers to exploit.

“While remote code execution vulnerabilities often garner the most attention, it’s important to note that successful cyber-attacks are often the result of a series of vulnerabilities chained together to accomplish the attacker’s objectives,” said Tim Mackey, principal security strategist, Synopsys Cybersecurity Research Center. “In this case, a local privilege escalation vulnerability is valuable as the attacker might find they’ve gained access to a Linux system, but with limited access rights. CVE-2021-4034 then could be used to gain additional rights within that system allowing them to escalate their attack.”

The Linux local privilege escalation vulnerability comes hot in the heels of another major bug, the Log4Shell bug discovered a few months ago.

Like the Log4j vulnerability, the pkexec local privilege escalation vulnerability has raised serious concerns from the cybersecurity community.

These concerns are warranted given that component is an important backbone for systems running critical infrastructures like communication and banking systems and the Linux kernel used in various devices.

System admins urged to mitigate local privilege escalation vulnerability

Citing existing proof-of-concept (POC) codes, the director of the National Security Agency’s Cybersecurity Directorate, Rob Joyce, urged system administrators to patch the vulnerability.

Similarly, security experts advised system administrators to remove the SUID-bit from pkexec as temporary mitigation to the local privilege escalation vulnerability before official vendor bug fixes become available.

According to the researchers, running the command “chmod 0755 /usr/bin/pkexec” would fix the bug temporarily.

Travis Biehn, principal security consultant, Synopsys Software Integrity Group said the local privilege escalation bug was a low-hanging fruit for anybody to exploit. He warned that it could have serious security implications.

“pkexec, part of polkit, is a piece of software normally distributed as the backbone of critical software that runs phones, servers that power the internet, the cloud, your enterprise, the Linux kernel, and its operating system,” Biehn said. “Packaged as distributions that typically combine the mission control, kernel, userland, the stuff that makes the computer do useful things, and a package manager—which updates and installs and versions—into a package that provides end-user delight.”

Qualys researchers discovered the vulnerability in November and released their findings to Red Hat before it was adopted by other vendors. They urged vendors to release pkexec security fixes quickly to achieve universal adoption.

However, Bud Broomhead, CEO at Viakoo, warned that security patches could be delayed given that no central entity is responsible for bug fixing.

“This is a big deal. Unlike fully proprietary systems where a single manufacturer can issue a single patch to address a vulnerability, a single open-source vulnerability can be present in multiple systems (including proprietary ones) which then requires multiple manufacturers to separately develop, test, and distribute a patch,” Bud continued. “For both the manufacturer and end-user, this adds enormous time and complexity to implementing a security fix for a known vulnerability.”

Bud noted that threat actors love open source systems because they can bet on some manufacturers being slow to release security patches.

“What needs to be done going forward fall into three main categories; software bill of materials (SBOM), automated deployment of security fixes, and extending Zero Trust to IoT/OT systems. Having clarity over what is in a software distribution via an SBOM makes finding vulnerable systems easier. Automated implementation of security fixes is needed to address the scale issue, both number, and geography, especially with IoT systems. And extending Zero Trust to IoT/OT devices can add additional security to prevent vulnerabilities from being exploited.”

Yaniv Bar-Dayan, CEO and Co-Founder at Vulcan Cyber, perceives open source as a “two-edged blade.”

“On one side, everyone can look at the code and audit it to identify and patch vulnerabilities. On the other side, threat actors can look at the code and find subtle issues that everyone else has missed. The advantages of this model have historically outweighed the disadvantages, with many eyes on the code and patches frequently appearing very rapidly after a vulnerability comes to light .”

All Linux distributions, including Ubuntu, Debian, Fedora, and CentOS suffer from a 12 year-old #vulnerability which allows a local user to gain root privileges and execute privileged commands using polkit's pkexec. #cybersecurity #respectdataClick to Tweet

Although Qualys did not release its POC code, it suggested that public exploitation would emerge in a few days after disclosure, given how easily attackers could exploit the bug.