News

Bug in pkexec allows privilege escalation on most Linux distros

By admin
Spread the love

Security researchers have discovered a vulnerability in pkexec, a component found in virtually all Linux distributions. With the PwnKit exploit it is possible to get root rights on a system. There are now proofs-of-concept that demonstrate exploitation.

The vulnerability was discovered by security firm Qualys and has been assigned code CVE-2021-4034, but the researchers also refer to the bug as PwnKit. The bug is in pkexec, a feature within Polkit in Linux that allows you to run commands as another user. This feature has been included as standard in most Linux distros since 2009. According to the researchers, the specific vulnerability has been in the software since the first commit and thus potentially affects many users. The bug can be exploited on systems where an attacker has access to local user rights.

According to the researchers, there is a memory bug in the feature. This makes it possible to invoke an out of bounds write in which an attacker can then insert an insecure variable. Normally this is stopped by the software, but the researchers found a way around that.

Although the discoverers do not publish any exploit code, they warn that exploits are likely to become available soon. The leak is said to be ‘very simple’ and has been easy to spot all this time. According to BleepingComputer, working exploits are already available, which the site has also tested.

The researchers say they successfully exploited the bug in Ubuntu, Debian, Fedora, and CentOS, but speculate that other distros are “probably also vulnerable and exploitable.” Non-Linux systems such as Solaris and *BSD might also be vulnerable because Polkit is included, but the researchers did not run a practical test on them. OpenBSD is in any case safe according to them.

Qualys discovered the bug in November and has passed it on to multiple developers and manufacturers. The original Polkit developers have released a patch. The Qualys researchers also mention a mitigation option; # chmod 0755 /usr/bin/pkexec changes the permissions of the tool so that authentication is no longer possible.

You might also like
News

EU Council determines position on security requirements for digital products

News

Anticheat FaceIT gets Linux version, enables Steam Deck support

News

AMD: Intel’s proposal for 64bit-only x86 architecture is very interesting

News

Statcounter: Linux had more than three percent desktop market share for the first…

News

Proton releases Windows app for encrypted cloud storage service Proton Drive

News

SUSE to fork Red Hat Enterprise Linux after source code access restrictions