Our security team are aware of recent exploitation of 12-year-old security flaw in the sudo-like Polkit’s pkexec tool, which is found in all major Linux distributions.
About Polkit pkexec in Linux:
Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).
Vulnerability Description (CVE-2021-4034):
A local privilege escalation vulnerability was found on polkit's pkexec utility under CVE-2021-4034. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.
Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. Other Linux distributions are likely vulnerable and probably exploitable. This vulnerability has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009 (commit c8c3d83, “Add a pkexec(1) command”).
Take vulnerability management, threat detection and response to the next level. Subscribe for a free trial of USM Anywhere, it centralizes asset discovery, vulnerability scanning and security monitoring of networks and devices in the cloud, on premises, and in remote locations, helping you to quickly detect and respond to threats virtually anywhere.