Did you miss a session from the Future of Work Summit? Head over to our Future of Work Summit on-demand library to stream.
A newly disclosed vulnerability in a widely installed Linux program can be easily exploited for local privilege escalation, researchers from cyber firm Qualys said today.
The memory corruption vulnerability (CVE-2021-4034)—which affects polkit’s pkexec—is not remotely exploitable. However, it can be “quickly” exploited to acquire root privileges, the researchers said in a blog post.
“This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration,” the Qualys researchers said in the post.
In Unix-like operating systems, polkit is used to control system-wide privileges. Polkit’s pkexec is a program that enables an authorized user to execute commands as a different user.
Most Linux distributions affected
All versions of pkexec are affected by the vulnerability, and the program is “installed by default on every major Linux distribution,” the Qualys researchers said.
The first version of pkexec debuted in May 2009, meaning that the vulnerability—which the researchers dubbed “PwnKit”—has been “hiding in plain sight for 12+ years,” according to the blog post.
The researchers said that they’ve “been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS.”
“Other Linux distributions are likely vulnerable and probably exploitable,” the researchers said.
Disclosure
The vulnerability was discovered by the researchers in November. They reported it to Red Hat, leading up to a coordinated announcement with vendor and open-source distributions today.
In the blog post, Qualys researchers said they expect vendors to provide patches for the vulnerability “in the short term.”
As of this writing, the Common Vulnerabilities and Exposures (CVE) website did not yet have a listing for CVE-2021-4034.
The Qualys researchers said they don’t plan to post exploit code for the flaw. However, “given how easy it is to exploit the vulnerability, we anticipate public exploits to become available within a few days,” the researchers said in the blog post.
The disclosure comes at a time of particularly high attention on software vulnerabilities, following the reveal of a critical remote code execution flaw in Apache Log4j, a widely used logging component, in December. Thanks in large part to the massive response effort from the security community, there have been few cyber attacks of consequence leveraging the Log4j vulnerability, researchers at Sophos said Monday.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn More
