PwnKit: PolKit’s pkexec CVE-2021-4034 Vulnerability Exploitation

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

On January 25, 2021, Qualys disclosed a memory corruption vulnerability (CVE-2021-4034) found in PolKit’s pkexec [1]. The vulnerability has a CVSS score of 7.8 (high) [2]. This vulnerability can easily be exploited for local privilege escalation. In other words, unprivileged users can execute code as the root user when they exploit CVE-2021-4034.

Validate your security controls against CVE-2021-4034 exploits

What Are PolKit and pkexec?

Formerly known as PolicyKit, PolKit is a widely used component in Unix-like operating systems. It controls system-wide privileges and provides an organized way for non-privileged processes to communicate with privileged processes. PolKit has a command in its toolset called pkexec. pkexec command is a SUID-root program that allows users to run commands as another user such as root [3]. This command is in default configuration of many major Linux distributions such as Ubuntu, Debian, Fedora and CentOS. 

What is the CVE-2021-4034  Vulnerability?

The CVE-2021-4034 vulnerability of pkexec is a memory corruption vulnerability. This vulnerability allows attackers to manipulate environment variables in Unix-like operating systems. This vulnerability existed since the inception of pkexec in May 2009.  

How do Attackers Exploit Pwnkit CVE-2021-4034  Vulnerability?

Attackers use the CVE-2021-4034 vulnerability to add libraries of their choosing to environment variables such as PATH variable. Since pkexec command is mainly used by unprivileged users for executing commands as root, this exploitation allows attackers to gain elevated privileges in the target system.

What is the Impact of CVE-2021-40444 Vulnerability?

CVE-2021-4034 allows unprivileged attackers to execute commands with elevated privileges on a local Linux system. PwnKit vulnerability requires a local user on the victim’s operating system and is categorized under MITRE ATT&CK TA0004 Privilege Escalation tactics. The CVSSv3 base score for CVE-2021-4034 is 7.8 High [2].

How to Protect Your Organization From PolKit Vulnerability Exploits?

To protect against exploitation of CVE-2021-4034 PwnKit vulnerability, we highly advise organizations to identify vulnerable systems on their networks and update them. Since pkexec was vulnerable from its conception, we can assume all Linux distributions that are using it in default configuration are vulnerable.  

Validate your security controls against CVE-2021-4034 exploits NOW!

How Picus Helps Simulate PwnKit Vulnerability Exploits?

Picus Continuous Security Validation Platform tests your security controls against vulnerability exploitation attacks and suggests related prevention methods.

Picus Labs advises you to simulate PwnKit CVE-2021-4034 vulnerability exploitation attack and determine the effectiveness of your security controls against it.

Threat ID

Action Name

Attack Module

52160

Linux Polkit pkexec Elevation of Privilege Vulnerability Threat

Email Infiltration (Phishing)

57401

Linux Polkit pkexec Elevation of Privilege Vulnerability Threat

Network Infiltration

References

[1] B. Jogi, “PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034),” Qualys Security Blog, 25-Jan-2022. [Online]. Available: https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034

[2] “Red Hat Customer Portal - Access to 24x7 support and knowledge.” [Online]. Available: https://access.redhat.com/security/cve/CVE-2021-4034

[3] “pkexec(1): Execute command as another user - Linux man page.” [Online]. Available: https://linux.die.net/man/1/pkexec