The Polkit Privilege Escalation Vulnerability, PwnKit, has been hidden in plain view for more than a decade — 12 years to be precise — in Linux. The vulnerability was identified by Qualys’ researchers in November, 2021. Privilege Escalation Vulnerabilities, such as PwnKit (CVE-2021-4034), allow unprivileged local users to get root privileges.
The PwnKit vulnerability was disclosed on January 25th, 2022. At the end of the article, there is a list of the patches major Linux distributions have already published to fix this security issue.
PwnKit (CVE-2021-4034)
PwnKit (CVE-2021-4034) is a privilege escalation vulnerability that allows unprivileged local users to get full root privileges on any vulnerable Linux distribution. Unprivileged local users can do so by exploiting the vulnerability in its default configuration.
The privilege escalation vulnerability is inside of a tool called “Polkit”. According to Qualys’ research team, who identified the vulnerability in November 2021, it originates from a memory corruption vulnerability in Polkit’s pkexec. The vulnerability affects all versions of pkexec since its creation in May 2009.
Polkit and pkexec
Polkit is the software responsible for controlling system privileges on Unix-like operating systems. It was formerly known as “PolicyKit”. This tool has been included by default in basically all new Linux distributions since 2009.
Polkit allows unprivileged processes to communicate with privileged processes and it can also be used to execute commands with elevated privileges using the command “pkexec”.
Pkexec is a SUID-root program installed by default on all major Linux distributions.
Available PwnKit patches for Debian, Ubuntu and Red Hat Enterprise Linux
Although Qualys’ research team only tested and exploited the PwnKit vulnerability on Ubuntu, Debian, Fedora, CentOS Linux and Red Hat Enterprise Linux (RHEL), it has been assumed that minor distributions are also affected.
Here is a list of the patches made available by major Linux distributions:
In case there is no patch available for the Linux distribution you use, you can temporarily or alternatively mitigate the exploitation by removing the SUID-bit from pkexec. To do so, you can use the following command:
# chmod 0755 /usr/bin/pkexec