A 12-year-old security vulnerability has been disclosed in a system utility called Polkit that grants attackers root privileges on Linux systems, even as a proof-of-concept (PoC) exploit has emerged in the wild merely hours after technical details of the bug became public.
Dubbed “PwnKit” by cybersecurity firm Qualys, the weakness impacts a component in polkit called pkexec, a program that’s installed by default on every major Linux distribution such as Ubunti, Debian, Fedora, and CentOS.
Polkit (formerly called PolicyKit) is a toolkit for controlling system-wide privileges in Unix-like operating systems, and provides a mechanism for non-privileged processes to communicate with privileged processes.
“This vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration,” Bharat Jogi, director of vulnerability and threat research at Qualys, said, adding it “has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009.”
The flaw, which concerns a case of memory corruption and has been assigned the identifier CVE-2021-4034, was reported to Linux vendors on November 18, 2021, following which patches have been issued by Red Hat and Ubuntu.
pkexec, analogous to the sudo command, allows an authorized user to execute commands as another user, doubling as an alternative to sudo. If no username is specified, the command to be executed will be run as the administrative super user, root.
PwnKit stems from an out-of-bounds write that enables the reintroduction of “unsecure” environment variables into pkexec’s environment. While this vulnerability is not remotely exploitable, an attacker that has already established a foothold on a system via another means can weaponize the flaw to achieve full root privileges.
Complicating matters is the emergence of a PoC in the wild, which CERT/CC vulnerability analyst Will Dormann called “simple and universal,” making it absolutely vital that the patches are applied as soon as possible to contain potential threats.
The development marks the second security flaw uncovered in Polkit in as many years. In June 2021, GitHub security researcher Kevin Backhouse revealed details of a seven-year-old privilege escalation vulnerability (CVE-2021-3560) that could be abused to escalate permissions to the root user.
On top of that, the disclosure also arrives close on the heels of a security flaw affecting the Linux kernel (CVE-2022-0185) that could be exploited by an attacker with access to a system as an unprivileged user to escalate those rights to root and break out of containers in Kubernetes setups.