On January 25th, 2022, the Qualys Research Team publicly disclosed a memory corruption vulnerability in polkit (pkexec), a component included in every major Linux distribution. The exploit, known as PwnKit, is now tracked as CVE-2021-4034.
This vulnerability has been around since the first version of polkit (then known as PolicyKit) was released in 2009. Qualys’s work builds on an existing discussion about this kind of vulnerability and polkit itself. In 2009, Walter Bright wrote about the underlying issues with how C handles array arguments as pointers. In 2013, Ryan Mallon blogged about the application of this C issue on Linux with polkit. In their acknowledgments, Qualys cited work by Tavis Ormandy, Jakub Wilk, and Yuki Koike.
How is PwnKit used by threat actors? What can you do to protect your organization?
An attacker can use this vulnerability to gain full root privileges, even when polkit itself is not running. Qualys described the work needed to exploit this vulnerability as “trivial” but also noted that it is not remotely exploitable unless an attacker can obtain user access (either as a privileged or unprivileged user) on a vulnerable machine.
SimSpace has identified seven key steps that organizations can take to address this vulnerability quickly:
1. Locate systems running with polkit
Polkit is supported by Linux and other Unix-like systems. We recommend using a cyber range to replicate your production environment and determine which machines are impacted.
From there, you can check if they are built on a standard Linux OS, in which case polkit is most likely included by default. If using a custom build, check to see if the machines have the “policykit” or “polkit” package or if “pkexec” is running.
Similarly, asset management systems or cyber asset attack surface management systems can pull a list of systems running these impacted operating systems and determine whether or not polkit is part of the builds.
2. Determine if polkit can be exploited
Not all systems that polkit supports are vulnerable. Qualys stated that OpenBSD is not exploitable, as it refuses to run (“execve()”) programs with zero command-line arguments (argc is 0), a key step in performing the exploit. However, they have successfully demonstrated exploitation of Ubuntu, Debian, Fedora, and CentOS systems. At this time, it is still worth testing the non-Linux operating systems that polkit supports, such as Solaris and BSD, as Qualys has yet to do so.
3. Prioritize assets for remediation
Once you know which assets in your environment are vulnerable, use the the information available about those assets to prioritize patching and mitigation efforts. Consider both the risk profile and business value of the assets.
4. Validate and apply patches for affected systems
The polkit team and vendors for some of the affected operating systems have already released patches:
- Polkit
- Debian
- Red Hat Enterprise Linux
- Ubuntu
- Update instructions for Ubuntu 21.10, 20.04, and 18.04
- Update instructions for Ubuntu 16.04 and 14.04
Initial patches do not always fully address the vulnerability and might even introduce new risks themselves. For example, the first few patches for the recent Log4Shell exploit of Java’s Log4j package did not protect against the base vulnerability and actually introduced a new denial-of-service vulnerability. As such, it is important to confirm the security and effectiveness of new patches before deploying them in production. You’ll also want to ensure the patch does not interfere with your business operations.
Cyber ranges can provide a perfect context for such patch testing. With the right tools, you can create a high-fidelity copy of your production environment to safely pressure-test new patches, systems and security controls.
5. Test and deploy mitigations for systems without available patches
Developers have not yet released patches for all affected Linux and Unix-like operating systems. However, you can still temporarily protect systems that do not have a patch or cannot be patched immediately by limiting the permissions of polkit (pkexec).
To do so, run the following command to remove the SUID-bit from pkexec:
# chmod 0755 /usr/bin/pkexec
Alternatively, Red Hat has a more specific series of steps for their systems, which can be found here. In either case, before you run this command in production, make sure it will not have any unintended effects on your business operations by testing the command within a cyber range that mirrors your production system. Once you confirm there are no issues, you can run the mitigation as desired in production.
6. Understand your defense in depth around polkit
With new vulnerabilities coming out regularly, even the best patch management response is only one part of a good defense in depth strategy to prepare for such risks. It is also important to have layers of controls that can prevent, detect or remediate exploitation. Since a user account on a vulnerable machine is required to exploit polkit, appropriate access controls and a zero-trust stack are important measures for limiting an attacker’s ability to gain root access through the PwnKit vulnerability.
Using a cyber range, you can safely run the PwnKit exploit within an accurate model of your environment and see what additional attack steps would be required to access vulnerable machines, test the speed and clarity of your detection suite, and understand your business risk. You can easily use open-source proofs of concept for the PwnKit exploit, such as those by Davide Berardi and Andris Raugulis; SimSpace is using these two in our own research and response efforts to this vulnerability.
7. Train your team on the ins and outs of this vulnerability
SimSpace customers will shortly have access to hands-on training modules on PwnKit as part of our Emerging Threat learning content. This kind of range-based learning experience gives blue, red, and purple team professionals an understanding of how news-breaking vulnerabilities work, how they can be exploited and how to protect their organizations.
Additional resources
Please see the following resources for customers of specific Linux distributions. We will update with links to solutions for other Linux distributions that did not have solutions posted when this blog was written.
Information about PwnKit
Qualys:
MITRE:
- Entry on CVE-2021-4034 (minimal info at the time of publication, but we expect more information to be posted shortly)
NIST National Vulnerability Database:
- Entry on CVE-2021-4034 (Placeholder page at the time of publication, but we expect this page to be updated shortly)
Patches
Polkit:
- Gitlab page with patches for polkit itself
Debian:
- Post on CVE-2021-4034
Red Hat Enterprise Linux:
- Security bulletin with RedHat resources and mitigation steps
Ubuntu:
- Post on CVE-2021-4034
- Update instructions for Ubuntu 21.10, 20.04, and 18.04
- Update instructions for Ubuntu 16.04 and 14.04
How SimSpace helps
The SimSpace Cyber Force Platform provides an unparalleled environment for product evaluations, real-world attack simulations and extensive individual and team readiness training. With the most realistic cyber range on the market, you can safely test the impact that exploits like PwnKit would have on your own unique production environment. If your organization is ready to get hands-on and put your security controls to the test, the team at SimSpace will welcome the opportunity to get to know you.
Click here to get started with your own personalized demo.
Take the next step toward continuous security improvement
With SimSpace, you can assess
and optimize your complete
security posture — all in one platform
Stay connected
to SimSpace
Want to stay on top of the latest SimSpace
and cybersecurity news and updates?
Please enter your email below
By filling out this form, you agree to SimSpace's terms of use and privacy policy
.svg)
.svg)
.svg)
.svg)