A vulnerability CVE-2021-4034 was discovered in the the tool pkexec (part of
polkit) included in many
Linux distributions such as Ubuntu and Redhat in a package called PolicyKit. The CVSS s3 Base Score is 7.8.
The attack complexity is very low and enables privilege escalation resulting in root access on the operating system. The vulnerability can even be exploited by users not being sudoers.
All versions before 0.105 (included) of Polkit (formerly PolicyKit).
The packaging tools could be used to see if the patch was applied such as shown in the example below on a Ubuntu-based distribution:
dpkg -l | grep policykit ii policykit-1 0.105-26ubuntu1.2 amd64 framework for managing administrative policies and privileges
Proof of concept exploits are publicly available and some are listed in the reference section of this document.
Fixing and mitigation
The best fix is to apply the security patches. As the program runs in user space no reboot is needed. In case these patches cannot be applied the file permissions of pkexec can be restricted by removing SUID bit as a temporary mitigation. An example is shown below:
chmod 0755 /usr/bin/pkexec
Detection and incident response
When the vulnerability is abused the following artefact can be searched in the auth.log file located for instance in /var/log/auth.log.
The items TTY, the COMMAND, and SHELL parameters are variable. The COMMAND parameter gives a hint to the location where the exploit code was executed.
In the example below the exploit code is in /home/toto/CVE-2021-4034.
The value for the SHELL variable was not found the /etc/shells file [USER=root] [TTY=/dev/pts/11] [CWD=/home/toto/CVE-2021-4034] [COMMAND=GCONV_PATH=./pwnkit.so:. PATH=GCONV_PATH=. SHELL=/lol/i/do/not/exists CHARSET=PWNKIT]
An alternative is to search on the file system for a directory called
Once the location of the exploit identified, the exploit code could be recovered
from the directory
After this step, standard incident response procedures could be applied to find out what happened after on the server such as forensics on file system or on a memory image.
Are vulnerable servers in Luxembourg?
- Initial vulnerability disclosure
- Ubuntu policykit package
- Patch of the vulnerability in the polkit code base
- RedHat - CVE-2021-4034
- PoC - CVE-2021-4034
- PoC - CVE-2021-4034
Classification of this document
TLP:WHITE information may be distributed without restriction, subject to copyright controls.
- Version 1.0 - TLP:WHITE - First version - 26 January 2022