Security Advisory: Critical Linux Vulnerability

January 27th, 2022: CyberHoot has investigated a Linux vulnerability tracked as CVE-2021-4034 that is part of most Linux distributions, leads to escalation of privileges up to root, and is trivial to exploit (though others have tried to identify a method and failed in the past). This vulnerability has been present in most Linux distributions for 12 years and exists as an exploitable memory-corruption bug. The CVE has a CVSS criticality score of 7.8 and is found in Polkit’s pkexec function. Qualys security researchers discovered this flaw last Oct. and reported it to all Linux manufacturers allowing them time to release a patch. That has happened, and the vulnerability was announced on Jan. 27th to the world. If you are patching your Linux distributions monthly, you may have already patched this issue. Regardless, CyberHoot recommends you check to be certain.

Linux Privilege Escalation Risk in pkexec

Polkit (formerly PolicyKit) provides an organized way for non-privileged processes to communicate with privileged processes and can be used to execute commands with elevated privileges using the command pkexec, followed by the command intended to be executed (with root permission). This vulnerability essentially allows any unprivileged user to gain full administrative privileges on a vulnerable host by exploiting this vulnerability in its default configuration. 

Researchers who discovered the bug said in a report that they developed a proof-of-concept (PoC) exploit and obtained full root privileges on default installations of CentOS, Debian, Fedora, and Ubuntu. They also believe that other Linux distributions are “likely vulnerable and probably exploitable.”

What Should You Do?

Patch your Linux systems as soon as possible. Most Linux distributions have released fixes for this issue since learning of it back in Oct. 2021. RedHat outlined a workaround in their publication here which we also publish below. Here are links to the advisory and patching information for Red HatDebian, and Ubuntu.

Given the large attack surface on this vulnerability, CyberHoot strongly recommends patching all Linux machines as quickly as possible. That means within the next few days. It’s predicted that public exploits will be seen very quickly given the attention this vulnerability is getting.

Emergency Workaround if Patching is not Possible:

If patches aren’t available or you cannot patch for any reason, here’s a mitigation step you can take: “Remove the SUID-bit from pkexec as a temporary mitigation,” Researchers suggested, giving this example:

# chmod 0755 /usr/bin/pkexec

You have a Vulnerability Alert Management Process, right?

If you’re a subscriber to CyberHoot’s services, you’ll have access to our Policy and Process library which contains the vulnerability alert management process document. This document prescribes how to respond to situations like this and in what time frame. If your company has not yet adopted a VAMP-like process, now is a great time to get started.

Secure your business with CyberHoot Today!!!

Share this on your social networks. Help Friends, Family, and Colleagues become more aware and secure.