If it’s not one thing, it’s another. After one real Linux problem — the heap overflow bug in the Linux kernel’s fs/fs_context.c program — is found and fixed, then a new security problem is discovered. This time security company Qualys has uncovered a truly dangerous memory corruption vulnerability in polkit’s pkexec, CVE-2021-4034.
Polkit, formerly known as PolicyKit, is a systemd SUID-root program. It’s installed by default in every major Linux distribution.
How dangerous is it? Very.
This vulnerability is easy to exploit. And, with it, any ordinary user can gain full root privileges on a vulnerable computer by exploiting this vulnerability in its default configuration. As Qualsys wrote in its brief description of the problem: “This vulnerability is an attacker’s dream come true.”
Their dream is our nightmare.
Why is it so bad? Let us count the ways:
- Pkexec is installed by default on all major Linux distributions.
- Qualsys has exploited Ubuntu, Debian, Fedora, and CentOS in their tests, and they’re sure other distributions are also exploitable.
- Pkexec has been vulnerable since its creation in May 2009 (commit c8c3d83, “Add a pkexec(1) command”).
- An unprivileged local user can exploit this vulnerability to get full root privileges.
- Although this vulnerability is technically a memory corruption, it is exploitable instantly and reliably in an architecture-independent way.
- And, last but not least, it’s exploitable even if the polkit daemon itself is not running.
Lovely, simply lovely.
It’s so dangerous because the program itself is so powerful; it’s a component for controlling system-wide privileges in Unix-like operating systems. While we know Linux can be attacked, Solaris and other Unix systems may also be vulnerable. We do know, however, that OpenBSD can’t be attacked by exploits using this vulnerability.
Red Hat rates the PwnKit as having a Common Vulnerability Scoring System (CVSS) score of 7.8. This is high.
When used correctly, Polkit provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed with root permission.
In other words, pkexec is like the sudo command. Indeed, Debian developers describe it as “the sudo of systemd.”
This vulnerability, which has been hiding in plain sight for 12+ years, is a problem with how pkexec reads environmental variables. The short version, according to Qualsys, is: “If our PATH is “PATH=name=.”, and if the directory “name=.” exists and contains an executable file named “value”, then a pointer to the string “name=./value” is written out-of-bounds to envp[0].”
While Qualsys won’t be releasing a demonstration exploit, the company is sure it won’t take long for exploits to be available. Frankly, it’s not that hard to create a PwnKit attack.
This is why you should obtain and apply a patch as quickly as possible from your Linux distributor. If no patches are available for your operating system, you can remove the SUID-bit from pkexec as a temporary mitigation. For example, this root-powered shell command will stop attacks:
# chmod 0755 /usr/bin/pkexec
Could you already have been attacked? It’s possible. If there’s been a sloppy attack on your system, see if there are traces in the logs. Typically this will be either “The value for the SHELL variable was not found in the /etc/shells file” or “The value for environment variable […] contains suspicious content.”
But a sophisticated attacker can make a PwnKit assault without leaving any traces in the logs.
Now, if you’ll excuse me, I have a lot of Linux machines to patch. Good luck with your systems.