Patching: All Major Linux Distributions

January 26, 2022 8:12 am

Applies To: All Major Linux Distributions

A privilege escalation vulnerability has been found on polkit's pkexec utility. This can allow an ordinary local user account to gain administrative access in a machine. 'pkexec' is installed by default in all major Linux distributions. 

This vulnerability tracking CVE # is CVE-2021-4034 and is considered high. It is in place (and vulnerable) since the tool was created (May 2009). Any unprivileged account can obtain full root privileges and can be exploited instantly. A proof of concept already exists by Security Researchers, although we haven't seen the exploit in the wild yet. Further, this vulnerability can be exploited without leaving any traces in regular logs.

A workaround mitigation for Red Hat systems that do not use Secure Boot can be found below. An Ansible playbook for mitigation automation can be found here:
https://access.redhat.com/sites/default/files/cve-2021-4034_stap_mitiga…

A vulnerability detection script can be found here:
https://access.redhat.com/sites/default/files/cve-2021-4034--2022-01-25-0936.sh

Please patch your systems as soon as possible.

References:
https://access.redhat.com/security/vulnerabilities/RHSB-2022-001
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034
https://ubuntu.com/security/CVE-2021-4034
https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt

Note For RedHat Systems (https://access.redhat.com/security/cve/CVE-2021-4034):
1) Install required systemtap packages and dependencies as per - pointed by https://access.redhat.com/solutions/5441

2) Install polkit debug info:

    debuginfo-install polkit
    
3) Create the following systemtap script, and name it pkexec-block.stp:

    probe process("/usr/bin/pkexec").function("main")  {
        if (cmdline_arg(1) == "")
                        raise(9);
}
4) Load the systemtap module into the running kernel:

    stap -g -F -m stap_pkexec_block pkexec_block.stp
    
5) Ensure the module is loaded:

     lsmod | grep -i stap_pkexec_block
stap_pkexec_block     434176  0
6) Once polkit package was updated to the version containing the fix, the systemtap generated kernel module can be removed by running:

    rmmod stap_pkexec_block
    
This mitigation doesn't work for Secure Boot enabled system as SystemTap would require an external compiling server to be able to sign the generated kernel module
with a key enrolled into the Kernel's keyring.

---
Fabio Martins – MBA, CISSP, CCSP, CISM, CISA, CEH, GASF, CIPP/E, CDPSE
Research Information Security Officer | Information Systems Security & Privacy