InfoSec Experts Advise On A 12-year-old Vulnerability Discovered In Polkit For Linux

Another critical open source vulnerability has been discovered. This time it is in a popular component used in major Linux distributions and some UNIX-like operating systems, so it has the potential to impact software development organisations far and wide. PolKit, which provides methods for nonprivileged processes to interact with privileged ones, has been assigned CVE-2021-4034 and dubbed “PwnKit.”

Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Center and Travis Biehn, principal security consultant at Synopsys Software Integrity Group shares their thoughts on the incident. 

Notify of

2 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Travis Biehn
Travis Biehn , Technical Strategist
InfoSec Expert
January 27, 2022 9:16 am

<p>CVE-2021-4034 is (yet another) advisory from the excellent group at Qualys that uncovers (yet another) significant vulnerability in popular software used in pedestrian and mission critical systems alike. In short, this vulnerability in a program distributed in a package allows a user who ought not have many privileges on a system get the top-tier of privileges on a system. These are otherwise known as ‘local privilege escalations.’ CVE-2021-4034 is notable in that it is easy to carry out, even for novices, as there are already several public functional and stable exploits floating around for anyone to use. Needless to say, it is a good idea to patch your systems, and perhaps even a better idea to look for indicators of compromise. I would also recommend that organizations also take a moment to reflect on your ability to do both things without disruption.</p>
<p>pkexec, part of Polkit, is a piece of software normally distributed as the backbone of critical software that runs phones, servers that power the internet, the cloud, your enterprise, the Linux kernel and its operating system. Packaged as distributions that typically combine the mission control, kernel, userland, the stuff that makes the computer do useful things, and a package manager—which updates and installs and versions—into a package that provides end-user delight. Android is a constellation of distributions that usually runs on phones, Ubuntu on some desktops and servers, etc. Operating systems are supposed to provide users with privileges and the vulnerability in pkexec gets you from little to a lot.</p>
<p>The vulnerability itself is interesting in that a single weakness in pkexec is combined with systemic weaknesses that are themselves a result of decades of brilliant decisions smashed together in unexpected contexts without thinking about or identifying the consequences.</p>

Last edited 8 months ago by Travis Biehn
Tim Mackey
Tim Mackey , Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center)
InfoSec Expert
January 27, 2022 9:15 am

<p>CVE-2021-4034, also known as PwnKit, is a local privilege escalation vulnerability in Linux. While remote code execution vulnerabilities often garner the most attention, it’s important to note that successful cyber-attacks are often the result of a series of vulnerabilities chained together to accomplish the attacker\’s objectives. In this case, a local privilege escalation vulnerability is valuable as the attacker might find they\’ve gained access to a Linux system, but with limited access rights. CVE-2021-4034 then could be used to gain additional rights within that system allowing them to escalate their attack. As such operators of Linux systems should immediately patch their systems, particularly if there is a way for users to access a command console.</p>

Last edited 8 months ago by Tim Mackey
Information Security Buzz
Would love your thoughts, please comment.x