Major Linux PolicyKit Security Vulnerability Uncovered: Pwnkit (zdnet.com)
(Tuesday January 25, 2022 @10:30PM (BeauHD)
from the time-to-patch-your-machines dept.)
- Reference: 0158031105
- News link: https://linux.slashdot.org/story/22/01/25/2259214/major-linux-policykit-security-vulnerability-uncovered-pwnkit
- Source link: https://www.zdnet.com/article/major-linux-policykit-security-vulnerability-uncovered-pwnkit/
An anonymous reader quotes a report from ZDNet:
> [S]ecurity company Qualys has [1]uncovered a truly dangerous memory corruption vulnerability in polkit's pkexec, [2]CVE-2021-4034 . [3]Polkit , formerly known as PolicyKit, is a systemd SUID-root program. It's installed by default in every major Linux distribution. This vulnerability is easy to exploit. And, with it, any ordinary user can gain full root privileges on a vulnerable computer by exploiting this vulnerability in its default configuration. As Qualsys wrote in its brief description of the problem: "This vulnerability is an attacker's dream come true." Why is it so bad? Let us count the ways:
>
> - Pkexec is installed by default on all major Linux distributions.
> - Qualsys has exploited Ubuntu, Debian, Fedora, and CentOS in their tests, and they're sure other distributions are also exploitable.
> - Pkexec has been vulnerable since its creation in May 2009 (commit c8c3d83, "Add a pkexec(1) command").
> - An unprivileged local user can exploit this vulnerability to get full root privileges.
> - Although this vulnerability is technically a memory corruption, it is exploitable instantly and reliably in an architecture-independent way.
> - And, last but not least, it's exploitable even if the polkit daemon itself is not running.
>
> Red Hat rates the PwnKit as having a Common Vulnerability Scoring System (CVSS) [4]score of 7.8 . This is high. [...] This vulnerability, which has been hiding in plain sight for 12+ years, is a problem with how pkexec reads environmental variables. The short version, according to Qualsys, is: "If our PATH is "PATH=name=.", and if the directory "name=." exists and contains an executable file named "value", then a pointer to the string "name=./value" is written out-of-bounds to envp[0]." While Qualsys won't be releasing a demonstration exploit, the company is sure it won't take long for exploits to be available. Frankly, it's not that hard to create a PwnKit attack.
It's recommended that you obtain and apply a patch ASAP to protect yourself from this vulnerability.
"If no patches are available for your operating system, you can remove the SUID-bit from pkexec as a temporary mitigation," adds ZDNet. "For example, this root-powered shell command will stop attacks: # chmod 0755 /usr/bin/pkexec."
[1] https://www.zdnet.com/article/major-linux-policykit-security-vulnerability-uncovered-pwnkit/
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034
[3] https://wiki.archlinux.org/title/Polkit
[4] https://access.redhat.com/security/cve/CVE-2021-4034
> [S]ecurity company Qualys has [1]uncovered a truly dangerous memory corruption vulnerability in polkit's pkexec, [2]CVE-2021-4034 . [3]Polkit , formerly known as PolicyKit, is a systemd SUID-root program. It's installed by default in every major Linux distribution. This vulnerability is easy to exploit. And, with it, any ordinary user can gain full root privileges on a vulnerable computer by exploiting this vulnerability in its default configuration. As Qualsys wrote in its brief description of the problem: "This vulnerability is an attacker's dream come true." Why is it so bad? Let us count the ways:
>
> - Pkexec is installed by default on all major Linux distributions.
> - Qualsys has exploited Ubuntu, Debian, Fedora, and CentOS in their tests, and they're sure other distributions are also exploitable.
> - Pkexec has been vulnerable since its creation in May 2009 (commit c8c3d83, "Add a pkexec(1) command").
> - An unprivileged local user can exploit this vulnerability to get full root privileges.
> - Although this vulnerability is technically a memory corruption, it is exploitable instantly and reliably in an architecture-independent way.
> - And, last but not least, it's exploitable even if the polkit daemon itself is not running.
>
> Red Hat rates the PwnKit as having a Common Vulnerability Scoring System (CVSS) [4]score of 7.8 . This is high. [...] This vulnerability, which has been hiding in plain sight for 12+ years, is a problem with how pkexec reads environmental variables. The short version, according to Qualsys, is: "If our PATH is "PATH=name=.", and if the directory "name=." exists and contains an executable file named "value", then a pointer to the string "name=./value" is written out-of-bounds to envp[0]." While Qualsys won't be releasing a demonstration exploit, the company is sure it won't take long for exploits to be available. Frankly, it's not that hard to create a PwnKit attack.
It's recommended that you obtain and apply a patch ASAP to protect yourself from this vulnerability.
"If no patches are available for your operating system, you can remove the SUID-bit from pkexec as a temporary mitigation," adds ZDNet. "For example, this root-powered shell command will stop attacks: # chmod 0755 /usr/bin/pkexec."
[1] https://www.zdnet.com/article/major-linux-policykit-security-vulnerability-uncovered-pwnkit/
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034
[3] https://wiki.archlinux.org/title/Polkit
[4] https://access.redhat.com/security/cve/CVE-2021-4034
Security team drama expected to ensue? (Score:2)
by klipclop ( 6724090 )
Will the media and US Cybersecurity and Infrastructure Security Agency (CISA) parade out Director Jen Easterly to say this is the second worst vulnerability she's ever seen? (before promptly going back to the sub basement to resume Netflix binge watching)
Re: (Score:2)
by ufgrat ( 6245202 )
Sendmail still wins.
But this is up there with the bash problem from a few years ago.
Shouldda ran Windows (Score:1)
by Tablizer ( 95088 )
-489239 Troll
At last... (Score:2)
by dogcar3604 ( 1482103 )
...we can finally stop talking about log4j...
Typo or intential flame-bait? (Score:5, Informative)
> Polkit, formerly known as PolicyKit, is a systemd [emphasis mine] SUID-root program.
PolicyKit is not part of or related to systemd - it pre-dates systemd's existence.
Neither. O/P's just cutting/pasting, not editing. (Score:2)
Somebody couldn't find a position in programming, administering or engineering computer systems, so he found a "job" writing about them.
Re: (Score:1)
...but you heard it here first! ;-)