Linux Privilege Escalation Risk in pkexec
Polkit (formerly PolicyKit) provides an organized way for non-privileged processes to communicate with privileged processes and can be used to execute commands with elevated privileges using the command pkexec, followed by the command intended to be executed (with root permission). This vulnerability essentially allows any unprivileged user to gain full administrative privileges on a vulnerable host by exploiting this vulnerability in its default configuration.
Researchers who discovered the bug said in a report that they developed a proof-of-concept (PoC) exploit and obtained full root privileges on default installations of CentOS, Debian, Fedora, and Ubuntu. They also believe that other Linux distributions are “likely vulnerable and probably exploitable.”
What Should You Do?
Patch your Linux systems as soon as possible. Most Linux distributions have released fixes for this issue since learning of it back in Oct. 2021. RedHat outlined a workaround in their publication here which we also publish below. Here are links to the advisory and patching information for Red Hat, Debian, and Ubuntu.
Given the large attack surface on this vulnerability, CyberHoot strongly recommends patching all Linux machines as quickly as possible. That means within the next few days. It’s predicted that public exploits will be seen very quickly given the attention this vulnerability is getting.
Emergency Workaround if Patching is not Possible:
If patches aren’t available or you cannot patch for any reason, here’s a mitigation step you can take: “Remove the SUID-bit from pkexec as a temporary mitigation,” Researchers suggested, giving this example:
# chmod 0755 /usr/bin/pkexec
You have a Vulnerability Alert Management Process, right?
If you’re a subscriber to CyberHoot’s services, you’ll have access to our Policy and Process library which contains the vulnerability alert management process document. This document prescribes how to respond to situations like this and in what time frame. If your company has not yet adopted a VAMP-like process, now is a great time to get started.