Linux Polkit Privilege Escalation Vulnerability (CVE-2021-4034)

Jan 28, 2022 GMT+08:00

I. Overview

A security research team has disclosed a privilege escalation vulnerability (CVE-2021-4034, also dubbed PwnKit) in Polkit's pkexec. Unprivileged users can gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration. Currently, the POC/EXP of this vulnerability has been disclosed, and the risk is high.

Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. pkexec is a part of the Polkit framework. It executes commands with elevated permissions and is an alternative to Sudo. If you are a Polkit user, check your Polkit version and implement timely security hardening.

Reference: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

All the Polkit versions released since May 2009.

All the Linux systems where Polkit is preinstalled are affected, including CentOS, Ubuntu, Debian, Red Hat, Fedora, Gentoo and Mageia.

Secure versions:

CentOS series

CentOS 6: polkit-0.96-11.el6_10.2

CentOS 7: polkit-0.112-26.el7_9.1

CentOS 8.0: polkit-0.115-13.el8_5.1

CentOS 8.2: polkit-0.115-11.el8_2.2

CentOS 8.4: polkit-0.115-11.el8_4.2

Ubuntu series

Ubuntu 21.10: policykit-1-0.105-31ubuntu0.1

Ubuntu 20.04 LTS: policykit-1-0.105-26ubuntu1.2

Ubuntu 18.04 LTS: policykit-1-0.105-20ubuntu0.18.04.6

Ubuntu 16.04 ESM: policykit-1-0.105-14.1ubuntu0.5+esm1

Ubuntu 14.04 ESM: policykit-1-0.105-4ubuntu3.14.04.6+esm1

Debian series

policykit-1 0.105-18+deb9u2

Debian stretch: policykit-1 0.105-18+deb9u2

Debian buster: policykit-1 0.105-25+deb10u1

Debian bullseye: policykit-1 0.105-31+deb11u1

Debian bookworm, bullseye: policykit-1 0.105-31.1

IV. Vulnerability Handling

1. Linux vendors, such as Red Hat, Ubuntu, Debian, and SUSE, have released patches to fix this vulnerability. Please upgrade your Linux to a secure version.

RedHat; Ubuntu: USN-5252-1, USN-5252-2; Debian; SUSE; Fedora

The manual upgrade commands are as follows:

CentOS:

yum clean all && yum makecache

yum update polkit –y

After the upgrade is complete, run the rpm -qa polkit command to view the version information.

Ubuntu:

sudo apt-get update

sudo apt-get install policykit-1

After the upgrade is complete, run the dpkg -l policykit-1 command to view the version information.

SUSE:

zypper restart polkit

2. If no patch is available in your system, run the # chmod 0755 /usr/bin/pkexec command to delete SUID-bit from pkexec.

Huawei Cloud Host Security Service (HSS) can scan your system for this vulnerability. To view vulnerability detection details, choose Risks > Vulnerabilities on the HSS console. For details, see Vulnerability Management.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.