IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

12-year-old Linux root privilege flaw has been "hiding in plain sight"

Researchers were quick to highlight how easy it was to exploit the vulnerability, recommending urgent patches

An 'easily exploitable' root privilege security vulnerability has been discovered in popular default Linux distributions and "has been hiding in plain sight" for more than 12 years, according to security researchers.

Qualys discovered and developed a working exploit for the vulnerability, dubbed 'PwnKit', which could allow an unprivileged user to gain root privileges on a vulnerable machine. The researchers said it affects popular distros including Ubuntu, Debian, Fedora, and CentOS, adding that other distros are also likely vulnerable and exploitable.

The flaw was found in Polkit - a component in Unix-like systems that allows non-privileged processes to communicate with privileged processes using the command 'pkexec' followed by the command set to be executed.

Qualys said the vulnerability affects all versions of pkexec since its first version in May 2009 (commit c8c3d83) and is tracked as CVE-2021-4034. Achieving root access allows an attacker to execute any command on, and access any part of a system.

The vulnerability is not remotely exploitable, which means the attacker would need to have physical access to the target machine, but Qualys said the exploit can be executed quickly to gain root privileges.

The author of the blog post that detailed the vulnerability, Bharat Jogi, director of vulnerability and threat research at Qualys, said he would not be publishing exploit code but given the simple nature of exploiting it, Qualys expects publicly available exploits to be circulating within days. 

Businesses concerned about the vulnerability in their environments can check for patches for their specific distro but if there are none available, one workaround is to remove the SUID-bit from pkexec as a temporary mitigation.

Technical details of PwnKit

The full technical details can be found in Qualys' blog post but in summary, the vulnerability lies in the way pkexec reads environmental variables and attackers can re-introduce unsecured environmental variables that are normally removed from the environment of SUID programs before the main function is called.

Related Resource

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Man at his computer next to title card - whitepaper from ServiceNowFree download

Qualys' concise description: "If our PATH is “PATH=name=.”, and if the directory “name=.” exists and contains an executable file named “value”, then a pointer to the  string “name=./value” is written out-of-bounds to envp[0]."

Although polkit supports other non-Linux operating systems such as Solaris and *BSD, Qualys has not yet investigated if the exploit works on these systems but can confirm OpenBSD is not exploitable.

"Given the breadth of the attack surface for this vulnerability across both Linux and non-Linux OS, Qualys recommends that users apply patches for this vulnerability immediately," said Jogi. 

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022