Major Linux PolicyKit security vulnerability uncovered: Pwnkit

If it’s not one thing, it’s another. After one real Linux problem — the heap overflow bug in the Linux kernel’s fs/fs_context.c program — is found and fixed, then a new security problem is discovered. This time security company Qualys has uncovered a truly dangerous memory corruption vulnerability in polkit’s pkexec, CVE-2021-4034

Polkit, formerly known as PolicyKit, is a systemd SUID-root program. It’s installed by default in every major Linux distribution.

How dangerous is it? Very. 

This vulnerability is easy to exploit. And, with it, any ordinary user can gain full root privileges on a vulnerable computer by exploiting this vulnerability in its default configuration. As Qualys wrote in its brief description of the problem: “This vulnerability is an attacker’s dream come true.”

Their dream is our nightmare. 

Why is it so bad? Let us count the ways: 

Pkexec is installed by default on all major Linux distributions. Qualys has exploited Ubuntu, Debian, Fedora, and CentOS in their tests, and they’re sure other distributions are also exploitable.Pkexec has been vulnerable since its creation in May 2009 (commit c8c3d83, “Add a pkexec(1) command”).An unprivileged local user can exploit this vulnerability to get full root privileges.Although this vulnerability is technically a memory corruption, it is exploitable instantly and reliably in

Read More: