Did you miss a session from the Future of Work Summit? Head over to our Future of Work Summit on-demand library to stream.
A newly disclosed vulnerability in a widely installed Linux program can be easily exploited for local privilege escalation, researchers from cyber firm Qualys said today.
The memory corruption vulnerability (CVE-2021-4034)—which affects polkit’s pkexec—is not remotely exploitable. However, it can be “quickly” exploited to acquire root privileges, the researchers said in a blog post.
“This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration,” the Qualys researchers said in the post.
In Unix-like operating systems, polkit (formerly known as PolicyKit) is used to control system-wide privileges. Polkit’s pkexec is a program that enables an authorized user to execute commands as a different user.
Most Linux distributions affected
All versions of pkexec are affected by the vulnerability, and the program is “installed by default on every major Linux distribution,” the Qualys researchers said.
The first version of pkexec debuted in May 2009, meaning that the vulnerability—which the researchers dubbed “PwnKit”—has been “hiding in plain sight for 12+ years,” according to the blog post.
The researchers said that they’ve “been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS.”
“Other Linux distributions are likely vulnerable and probably exploitable,” the researchers said.
Without a doubt, “any vulnerability that gives root access on a Linux system is bad,” said Yaniv Bar-Dayan, cofounder and CEO at Vulcan Cyber, in an email comment. However, “this vulnerability is a local exploit, which mitigates some risk,” he noted.
The vulnerability was discovered by the Qualys researchers in November. They reported it to Red Hat, leading up to a coordinated announcement with vendor and open-source distributions today.
In the blog post, Qualys researchers said they expect vendors to provide patches for the vulnerability “in the short term.”
As of this writing, the Common Vulnerabilities and Exposures (CVE) website did not yet have a listing for CVE-2021-4034.
The Qualys researchers said they don’t plan to post exploit code for the flaw. But “given how easy it is to exploit the vulnerability, we anticipate public exploits to become available within a few days,” the researchers said in the blog post.
Spotlight on open source
The disclosure comes at a time of particularly high attention on software vulnerabilities, following the reveal of a critical remote code execution flaw in Apache Log4j, a widely used Java logging component, in December. Thanks in large part to the massive response effort from the security community, there have been few cyberattacks of consequence leveraging the Log4j vulnerability, researchers at Sophos said Monday.
Like the Log4j vulnerability, the Linux flaw disclosed by Qualys today affects widely used open source systems—making this new vulnerability a “big deal” for the industry, said Bud Broomhead, CEO at Viakoo.
“A single open source vulnerability can be present in multiple systems—including proprietary ones—which then requires multiple manufacturers to separately develop, test, and distribute a patch,” Broomhead said in an email comment. “For both the manufacturer, and end user, this adds enormous time and complexity to implementing a security fix for a known vulnerability.”
Threat actors, meanwhile, “are betting on some manufacturers being slow in releasing fixes and some end users being slow in updating their devices,” he said.