Security incident with the pkexec linux privilege escalation binary

A high-risk privilege escalation vulnerability has surfaced in the pkexec terminal tool that controls privilege escalation in Linux shells and is pre-installed in all major Linux distributions like Debian, CentOS or Ubuntu. This vulnerability allows users with a limited privilege terminal session to escalate into full privileges in the local machine, effectively getting root access. This vulnerability is trivially exploited and already has proof of concept exploits in circulation. All versions of the pkexec utility since it launched in 2009 are vulnerable, however major distributions are already distributing patches on their repositories.

Reach

This vulnerability is exploitable from any Linux user terminal session. It is not a first step in an exploit chain, but it makes privilege escalation from an unprivileged shell trivial, which means it can bring a higher risk in systems exposed to the internet with vulnerable software (like a popular CMS or CRM) by enabling a longer, more dangerous exploit chain. All versions of the pkexec utility since it launched in 2009 are vulnerable, however major distributions are already distributing patches on their repositories.

Indicators of Compromise

A possible indicator of compromise for this vulnerability is a log entry that contains the string “The value for the SHELL variable was not found the /etc/shells file”. Searching for this text on the system logs can be an indicator that the vulnerability was exploited on that local system where the logs are being analyzed.

Patches and mitigations

All versions of the pkexec utility since it launched in 2009 are vulnerable, however major distributions are already distributing patches on their repositories. You can update pkexec from the system’s package manager to patch this vulnerability. If no patch is available for your distribution yet, the binary’s privilege escalation can be disabled by removing the SUID bit from the binary file: chmod 0755 pkexec 

 

Sources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034

https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt

https://isc.sans.edu/diary/rss/28272

Leave a Reply

Your email address will not be published. Required fields are marked *