On January 25, 2022, researchers at Qualys released an article detailing the discovery and exploitation of CVE-2021-4034, a flaw in the Polkit package present in major Linux distributions such as Redhat, Fedora, Debian/Ubuntu, and CentOS. The vulnerability allows for local privilege escalation, including full root privileges.
Bharat Jogi, Director of Vulnerability and Threat Research at Qualys stated that “Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).”
Qualys initiated disclosure in November and both an advisory and a patch started making the rounds on January 11th, 2022. As of today, all distributions named above have released a mainline patch remediating the issue.
Analyst Notes
This vulnerability allows for privilege escalation post-compromise, including the ability to gain root access on the target machine. It is possible to mitigate temporarily by removing the SUID-bit from pkexec using chmod, however, patching immediately is always recommended. Talos has also released rules for Snort and Suricata to alert on possible exploitation.
https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
