12-year-old Linux root privilege flaw has been "hiding in plain sight"
Researchers were quick to highlight how easy it was to exploit the vulnerability, recommending urgent patches
An 'easily exploitable' root privilege security vulnerability has been discovered in popular default Linux distributions and "has been hiding in plain sight" for more than 12 years, according to security researchers.
Best Linux distros 2023: The finest open source operating systems around Windows vs Linux: What's the best operating system? How to choose the right Linux distro for you
Qualys discovered and developed a working exploit for the vulnerability, dubbed 'PwnKit', which could allow an unprivileged user to gain root privileges on a vulnerable machine. The researchers said it affects popular distros including Ubuntu, Debian, Fedora, and CentOS, adding that other distros are also likely vulnerable and exploitable.
The flaw was found in Polkit - a component in Unix-like systems that allows non-privileged processes to communicate with privileged processes using the command 'pkexec' followed by the command set to be executed.
Qualys said the vulnerability affects all versions of pkexec since its first version in May 2009 (commit c8c3d83) and is tracked as CVE-2021-4034. Achieving root access allows an attacker to execute any command on, and access any part of a system.
The vulnerability is not remotely exploitable, which means the attacker would need to have physical access to the target machine, but Qualys said the exploit can be executed quickly to gain root privileges.
The author of the blog post that detailed the vulnerability, Bharat Jogi, director of vulnerability and threat research at Qualys, said he would not be publishing exploit code but given the simple nature of exploiting it, Qualys expects publicly available exploits to be circulating within days.
Businesses concerned about the vulnerability in their environments can check for patches for their specific distro but if there are none available, one workaround is to remove the SUID-bit from pkexec as a temporary mitigation.
Technical details of PwnKit
The full technical details can be found in Qualys' blog post but in summary, the vulnerability lies in the way pkexec reads environmental variables and attackers can re-introduce unsecured environmental variables that are normally removed from the environment of SUID programs before the main function is called.
RELATED RESOURCE
The top three IT pains of the new reality and how to solve them
Driving more resiliency with unified operations and service management
Qualys' concise description: "If our PATH is “PATH=name=.”, and if the directory “name=.” exists and contains an executable file named “value”, then a pointer to the string “name=./value” is written out-of-bounds to envp[0]."
Although polkit supports other non-Linux operating systems such as Solaris and *BSD, Qualys has not yet investigated if the exploit works on these systems but can confirm OpenBSD is not exploitable.
"Given the breadth of the attack surface for this vulnerability across both Linux and non-Linux OS, Qualys recommends that users apply patches for this vulnerability immediately," said Jogi.
-
SecurityHQ names Aaron Hambleton as product and services chiefNews Industry veteran will lead product and service innovation across the provider's cybersecurity portfolio
-
Cisco teams up with DSIT to drive digital skills adoptionNews Partnership supports the government's TechFirst program to provide one million secondary school students with access to digital learning experiences
-
AI is shrinking attack windows, and it’s forcing a complete rethink of cyber resilience – here’s how organizations can prepareNews Commvault has urged companies to improve their business continuity and resilience plans in the face of flaws spotted by AI
-
Anthropic targets vulnerability detection gains with Claude Security public beta — here's what users can expectNews The Claude Mythos developer is aiming for a more limited approach to cyber tooling for public consumption
-
Researchers warn millions of RDP and VNC servers are wide open to exploitationNews Researchers at Forescout spotted millions of RDP and VNC servers exposed online
-
Brace yourselves for a vulnerability explosion, Forescout warnsNews AI advances are helping identify software flaws at record pace and scale, but that's not the good news some would think
-
Ubuntu vulnerability exposes enterprises to root escalation, complete system compromiseNews The high-severity Ubuntu vulnerability allows an unprivileged local attacker to escalate privileges through the interaction of two standard system components
-
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerabilityNews Threat actors have been exploiting the vulnerability to achieve root access since 2023
-
Millions of developers could be impacted by flaws in Visual Studio Code extensions – here's what you need to know and how to protect yourselfNews The VS Code vulnerabilities highlight broader IDE security risks, said OX Security
-
CVEs are set to top 50,000 this year, marking a record high – here’s how CISOs and security teams can prepare for a looming onslaughtNews While the CVE figures might be daunting, they won't all be relevant to your organization
