Security researchers from Qualys have disclosed a flaw in the Polkit (formerly PolicyKit) component present in all GNU/Linux distributions for controlling system-wide privileges.
According to the researchers, the vulnerability (CVE-2021-4034) was discovered in PolicyKit’s pkexec tool, which incorrectly handled command-line arguments. This could lead to local privilege escalation, allowing any regular user in a GNU/Linux distribution to gain administrative privileges and run programs as an administrator (root).
The bad news is that PolicyKit’s pkexec tool was vulnerable for more than 12 years, since its creation in May 2009, and it can be exploited even if the Polkit daemon is not running.
While the researchers from Qualys haven’t yet published their exploit yet, they said that the vulnerability is “trivially exploitable” and warned Linux users that other researchers might publish their exploits shortly after patches become available in most distributions.
The good news is that most major GNU/Linux distributions already received patched versions of the Polkit package. At the moment of writing, Debian published patches for Debian GNU/Linux 10 “Buster” and Debian GNU/Linux 11 “Bullseye” systems, and Canonical published patches for all of its supported Ubuntu releases.
Red Hat and the Fedora Project are also testing patches for all of their supported Red Hat Enterprise Linux and Fedora Linux releases, and, of course, the Polkit vulnerability is now patched in popular rolling-release distributions like Arch Linux and openSUSE Tumbleweed.
If your distro didn’t yet receive patches for this Polkit vulnerability, the Qualys researchers recommend that you remove the SUID-bit from the pkexec tool as a temporary mitigation by running the command below in a terminal emulator.
sudo chmod 0755 /usr/bin/pkexec
Without any further ado, take this article as a reminder to keep your GNU/Linux distributions up to date at all times and do not ignore updates and security patches when they’re available for installation. If you’re already up-to-date, then you shouldn’t worry about this PolicyKit flaw anymore.
Update: Patched Polkit packages also landed today in all supported Fedora Linux releases.
Last updated 8 months ago