How to Mitigate the PwnKit Vulnerability
On Jan. 25, the Qualys Research Team publicly disclosed a memory corruption vulnerability in PolKit (pkexec), a component included in every major Linux distribution. The exploit, known as PwnKit, is now tracked as CVE-2021-4034.
PolKit, which provides methods for nonprivileged processes to interact with privileged ones, is a popular component used in major Linux distributions and some UNIX-like operating systems, so CVE-2021-4034 has the potential to affect software development organizations far and wide. This vulnerability has been around since the first version of PolKit, then known as PolicyKit, was released in 2009.
How Does PolKit Work?
PolKit provides an authorization API that unprivileged programs can use to access features offered by privileged programs or services. The pkexecutility itself allows users to execute commands as another user, and if no user is specified, it will execute the commands as root, the highest-privileged account on Linux and UNIX systems.
An attacker who is already logged in to a system can use this vulnerability to gain full root privileges, even when PolKit itself is not running. Qualys described the work needed to exploit this vulnerability as “trivial,” and as expected, there are multiple sources describing how to exploit the vulnerability.
What Are the Implications?
CVE-2021-4034 has the potential to grant even inexperienced actors an easy way to access a multitude of systems and use administrative privileges. By chaining memory corruption in pkexec and a few other weaknesses in the software, unprivileged local users can gain full root privileges and then move through the vulnerable host’s network to steal sensitive data and lay the groundwork for additional attacks with increased stealth, persistence and capability.
Importantly, exploiting this vulnerability does require a threat actor to already have local access, because the vulnerable components don’t, for instance, listen for external traffic. But the ease with which even an inexperienced attacker can exploit it is cause for the heightened security level.
In addition, security researchers have already independently verified the vulnerability. They were able to develop an exploit that gave them full root privileges, providing confirmation that this bug is easily exploitable across a range of different targets.
What Should You Do?
All versions of PolKit since 2009 are vulnerable. As this package is installed by default with all popular UNIX-like distributions, this affects most Linux and UNIX-like machines. To remediate CVE-2021-4034, organizations must update the PolKit package by applying the patches that PolKit’s authors released on their GitLab page. RedHat and Ubuntu have also published remediation steps.
Here are the actions you should take.
- Locate systems running with PolKit. If they are built on a standard Linux OS, PolKit should be included by default. If systems are using custom builds, check for the PolicyKit or PolKit package, or if pkexec is running.
- Check if they’re vulnerable to exploitation. While Qualys has demonstrated that Ubuntu, Debian, Fedora and CentOS systems are vulnerable, OpenBSD is not, as it refuses to run (“execve()”) programs with zero command-line arguments (argc is 0), which is a key step in performing the exploit. You should test any non-Linux operating systems that PolKit supports, such as Solaris and BSD, as there is no determination about them yet.
- Prioritize assets for remediation. After identifying the vulnerable assets in your environment, consider the risk profile and business value when prioritizing your patching and mitigation tasks.
- Validate and apply patches for affected systems. The PolKit team and vendors for some of the affected operating systems have already released patches.
How Can an SBOM Help?
The PolKit package isn’t something that developers just independently decided to pull into an application they’re developing; rather, it comes along for the ride any time the affected Linux distributions are being used as the operating system. It’s sort of a “package deal,” no pun intended.
Considering the widespread use of Linux, this introduces a unique risk, especially to organizations developing IoT devices, embedded systems and virtual machine templates. Software composition analysis (SCA) tools provide users with signature and binary analysis, so they can analyze firmware, determine if the vulnerable Linux distributions are included, and be armed with a complete list of any additional components included in their firmware and VMs.
Building a comprehensive SBOM allows you to identify the location of components like PolKit when vulnerabilities like CVE-2021-4034 are disclosed, so you can remediate them quickly and avoid business disruption. Tools like Synopsys Black Duck® SCA also arm you with Black Duck Security Advisories (BDSAs), which provide an added layer of protection including same-day notification of newly reported vulnerabilities. In the case of PolKit, Black Duck customers have been busy working on remediation.
