The Qualys Research Team announced that they have discovered a memory corruption vulnerability, tracked as CVE-2021-4034, in polkit’s pkexec. It is a SUID-root program and installed by default on almost all of the major Linux distributions. Once exploited, the vulnerability allows an unprivileged user to gain full root privileges in its default configuration.
The vulnerability has been hiding in plain sight for more than 12 years.
Polkit, formerly known as PolicyKit, is a component that is responsible for providing a way for non-privileged processes to communicate with privileged processes in Unix-like operating systems. Polkit can also be used to execute commands by using the pkexec, with root permission.
The researchers could successfully exploit the vulnerability, also known as the PwnKit vulnerability, to obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. It affects all versions of pkexec since the first version, which was introduced in May of 2009, this means that the vulnerability is currently 12 years old.
The PwnKit vulnerability is caused by the command-line arguments processed by the pkexec’s main() function. Researchers state that it allows them to re-introduce an “unsecure” environment variable into pkexec’s environment. These variables are normally removed by ld.so.
Qualys researchers stated that Qualys customers can search the knowledgebase for the vulnerability to identify all the QIDs and assets and apply patches. Qualys’ free VMDR trial also offers full access to the QIDs for the vulnerability, allowing users to identify the vulnerable assets. The team also stated that they are expecting vendors to release patches to address this vulnerability as soon as possible.