If it's not one thing, it's another. After one real Linux problem -- the heap overflow bug in the Linux kernel's fs/fs_context.c program -- is found and fixed, then a new security problem is discovered. This time security company Qualys has uncovered a truly dangerous memory corruption vulnerability in polkit's pkexec, CVE-2021-4034.
Polkit, formerly known as PolicyKit, is a systemd SUID-root program. It's installed by default in every major Linux distribution.
Want a good tech job? Then you need to know Linux and open-source software. One of the best ways to learn is via a Linux Foundation course.
Read nowHow dangerous is it? Very.
This vulnerability is easy to exploit. And, with it, any ordinary user can gain full root privileges on a vulnerable computer by exploiting this vulnerability in its default configuration. As Qualys wrote in its brief description of the problem: "This vulnerability is an attacker's dream come true."
Their dream is our nightmare.
Why is it so bad? Let us count the ways:
Lovely, simply lovely.
Also: This sneaky ransomware is now targeting Linux servers, too
It's so dangerous because the program itself is so powerful; it's a component for controlling system-wide privileges in Unix-like operating systems. While we know Linux can be attacked, Solaris and other Unix systems may also be vulnerable. We do know, however, that OpenBSD can't be attacked by exploits using this vulnerability.
Red Hat rates the PwnKit as having a Common Vulnerability Scoring System (CVSS) score of 7.8. This is high.
When used correctly, Polkit provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed with root permission.
In other words, pkexec is like the sudo command. Indeed, Debian developers describe it as "the sudo of systemd."
This vulnerability, which has been hiding in plain sight for 12+ years, is a problem with how pkexec reads environmental variables. The short version, according to Qualys, is: "If our PATH is "PATH=name=.", and if the directory "name=." exists and contains an executable file named "value", then a pointer to the string "name=./value" is written out-of-bounds to envp[0]."
While Qualys won't be releasing a demonstration exploit, the company is sure it won't take long for exploits to be available. Frankly, it's not that hard to create a PwnKit attack.
Also: In 2022, security will be priority number one for Linux and open-source developers
This is why you should obtain and apply a patch as quickly as possible from your Linux distributor. If no patches are available for your operating system, you can remove the SUID-bit from pkexec as a temporary mitigation. For example, this root-powered shell command will stop attacks:
#chmod 0755 /usr/bin/pkexec
Could you already have been attacked? It's possible. If there's been a sloppy attack on your system, see if there are traces in the logs. Typically this will be either "The value for the SHELL variable was not found in the /etc/shells file" or "The value for environment variable [...] contains suspicious content."
But a sophisticated attacker can make a PwnKit assault without leaving any traces in the logs.
Now, if you'll excuse me, I have a lot of Linux machines to patch. Good luck with your systems.