Linux Polkit Privilege Escalation Vulnerability (CVE-2021-4034)

I. Overview

Recently, a security research team disclosed a privilege escalation vulnerability (CVE-2021-4034, also dubbed PwnKit) in PolKit's pkexec. Unprivileged users can gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration. Currently, the POC/EXP of this vulnerability has been disclosed, and the risk is high.

Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. pkexec is a part of the Polkit framework. It executes commands with elevated permissions and is an alternative to Sudo. If you are a Polkit user, check your Polkit version and implement timely security hardening.

Reference link: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions: all mainstream Linux versions

Secure versions: View the security bulletins of Linux vendors.

IV. Vulnerability Handling

  1. Currently, Linux vendors, such as Red Hat, Ubuntu, Debian, and SUSE, have released patches to fix this vulnerability. Upgrade your Linux OS to a secure version. If you are unable to update it in a timely manner, you can mitigate the risk by referring to the official suggestions provided by these vendors.

    RedHat, Ubuntu: USN-5252-1, USN-5252-2; Debian, SUSE

  2. EulerOS has released a patch. You only need to upgrade the polkit package (.rpm).

    The upgrade method is as follows:

    1. yum clean all

    2. yum makecache

    3. yum update polkit

    4. rpm -qa | grep polkit

      Check whether the OS has been upgraded to the corresponding version.

      • EulerOS 2.10: polkit-0.116-6.h4

      • EulerOS 2.9: polkit-0.116-5.h7

      • EulerOS 2.8: polkit-0.115-2.h14

      • EulerOS 2.5: polkit-0.112-14.h15

  3. If no patch is available in your system, run the # chmod 0755 /usr/bin/pkexec command to delete SUID-bit from pkexec.

Before fixing vulnerabilities, back up your files and conduct a thorough test.