Serious PwnKit flaw in default Linux installations requires urgent patching

Security researchers have found a privilege escalation vulnerability in pkexec, a tool that's present by default on many Linux installations. The flaw, called PwnKit, could allow attackers to easily gain root privileges on systems if they have access to a regular user without administrative privileges.

Researchers from security firm Qualys who discovered and reported the vulnerability were able to confirm it is exploitable in default configurations on some of the most popular Linux distributions including Ubuntu, Debian, Fedora and CentOS. They believe others are likely impacted as well, since the vulnerable code has existed in pkexec since the tool's first version, over 12 years ago.

What is the PwnKit flaw?

Pkexec is part of a Linux component known as the PolicyKit or PolKit that provides an authorisation API through which unprivileged programs can access features offered by privileged programs or services. The pkexec utility itself also allows users to execute commands as another user and if no user is specified, it will execute the commands as root, the highest privileged account on Linux and UNIX systems.

The researchers found an out-of-bounds memory error, now tracked as CVE-2021-4034, in the pkexec code that allows attackers to pass dangerous environment variables such as LD_PRELOAD to the execution flow. LD_PRELOAD is an optional variable that tells a program a custom path where it should search for shared libraries or objects and load them before any other library during execution.

Normally, there is a mechanism in place that should clear such dangerous environment variables before pkexec commands are executed. Because of the memory vulnerability, attackers can bypass this mechanism. The Qualys researchers have not explained this part of the exploit in detail and will not release a proof-of-concept exploit for the vulnerability yet because of the high risk and widespread impact associated with the flaw.

"The current version of pkexec doesn't handle the calling parameters count correctly and ends up trying to execute environment variables as commands," Red Hat explained in a security advisory. "An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code."

Since this is a local privilege escalation vulnerability, it cannot be exploited remotely. Attackers need to gain access to a local account on the system first. However, while generally not rated critical, local privilege escalation vulnerabilities are an important part of modern exploit chains.

Due to the anti-exploitation mechanisms in place in modern operating systems and applications, attackers often need to chain multiple vulnerabilities together to gain full system access. Remote code execution in the context of an unprivileged user can be obtained in a variety of ways -- for example, by exploiting a separate vulnerability or misconfiguration in another application or service or by tricking a user to execute a malicious application. Because of this, easy-to-exploit privilege escalation vulnerabilities in components that exist by default configurations on millions of systems pose a very serious risk.

Mitigation for the pkexec vulnerability

Most Linux distributions are in the process of releasing patches for pkexec or have documented alternative temporary mitigations (Red Hat, Debian and Ubuntu). Users are advised to deploy the patches as soon as possible as they become available for their Linux variant and version.

Red Hat users can use SystemTap to deploy a temporary mitigation. SystemTap is a system administration and monitoring utility that allows users to write and execute scripts as kernel modules. The company's security bulletin for CVE-2021-4034 includes a mitigation SystemTap script that's designed to block pkexec. The limitations are that the script needs to be reloaded into the kernel every time the system is rebooted and that it doesn't work on systems with Secure Boot enabled. That's because the Secure Boot mechanism is designed to verify that all kernel modules are signed with a trusted developer key and SystemTap scripts are user-generated and unsigned.

On Secure Boot enabled systems "SystemTap would require an external compiling server to be able to sign the generated kernel module with a key enrolled into the Kernel's keyring," the company explained. Red Hat has also created a script that can detect if a system is vulnerable and another Ansible playbook that can automate the mitigation deployment.

Security researcher Florian Roth has updated his open-source best practice auditd configuration to include a rule that can detect attempts to exploit CVE-2021-4034. The Linux Auditing System (auditd) is a native Linux kernel feature that can be used to record system activity to facilitate incident investigation.