On January 25, researchers at Qualys disclosed a high severity local privilege escalation (LPE) vulnerability affecting Linux’s policy kits (Polkit) pkexec utility. Pkexec is an executable designed to allow processes to temporarily assume higher privileges in order to enable non-privileged processes to communicate with privileged processes. As such, pkexec is installed by default on all major Linux distributions. This wide deployment makes the vulnerability widely applicable across a wide range of systems that leverage Linux distributions. Polkit’s function is to control privileges in Unix-like Operating Systems (like a more granular version of sudo). As a “set user ID to root” (SUID-root) executable, pkexec can be used to execute commands with root privileges.
The successful exploitation of this vulnerability will allow any unprivileged user to gain root access on the vulnerable host. As the vulnerability is a local privilege escalation bug, the attacker must first gain access to vulnerable hosts prior to launching the attack, which makes this vulnerability less impactful than a remote code execution (RCE) issue. However, this vulnerability is widely impactful and should be remediated as soon as possible, because as soon as a threat actor establishes a foothold on vulnerable hosts, they are able to easily escalate their privileges an gain administrative control of an impacted system.
The Cyber Fusion Center is aware of at least one Proof of Concept (PoC) exploit being made public. Given the ubiquitous nature of the pkexec executable, the ease of exploitation, and a public PoC becoming available, the CFC expects broad exploitation of the vulnerability in the next several days. As such, the CFC strongly recommends organizations patch as soon as possible. Organizations who are unable to apply provided patches quickly should review the temporary mitigations section of this advisory for guidance.
Affected Operating Systems
The vulnerability described in this advisory has been present in all versions of the pkexec executable since its release in May of 2009. Additionally, the Qualys team who discovered the vulnerability have verified that the vulnerability impacts all recent versions of the most popular Linux distributions such as Ubuntu, Debian, Fedora, Red Hat, and Centos. Other Linux distribution are extremely likely to be vulnerable.
The vulnerability exists due to an out-of-bound memory access issue that is present when the pkexec binary is executed without any command-line arguments. This enables an attacker to coerce pkexec to search for an attacker-controlled executable whose name is set as a specific environment variable. By setting an environment variable and calling pkexec without any arguments, an attacker prompts pkexec to elevate privileges of any attacker-controlled executable to root.
Most major Linux distributions have already released a patch that corrects this issue, and the CFC strongly recommends patching immediately.
Organizations who are unable to apply patches quickly should review the temporary mitigations described below.
Temporary Workarounds and Mitigations
Organizations who are unable to patch can temporarily mitigate this issue with the instructions below.
- Disable the SUID-bit from pkexec:
chmod u-s /usr/bin/pkexe
- Check the permissions with (you should not see any SUID-bit):
lr -l /usr/bin/pkexec
Note: Some of the mitigations described above may impact the legitimate functionality of pkexec and cause unexpected issues. The CFC strongly recommends testing the above procedure on a non-production system prior to applying the temporary mitigations broadly.
What the Cyber Fusion Center is doing
The Cyber Fusion Center is quickly updating any vulnerable versions of pkexec which are deployed across our environment, including on Fusion Premise Equipment (FPE) appliances.
The CFC will also begin a threat hunting campaign designed to identify post-exploitation artifacts left by the compilation or download of the current PoC exploit on the affected hosts.
The CFC is working with our vulnerability scanning vendor partner to deploy plugins to detect this vulnerability. Once available, organizations with the CFC’s Vulnerability Scanning service will be able to validate if this vulnerability is discovered on systems within vulnerability scan scopes.