Every major Linux distro has a PwnKit flaw that is easily exploited to gain root access

Linux-based operating systems are frequently touted as being far more secure than the likes of Windows or macOS. More secure they may be, but they are not completely infallible.

A great example of this is the recently discovered PwnKit vulnerability in the pkexec component of Polkit. The flaw can be exploited to gain root access to a system and it has been a security hole in pretty much all major Linux distros for over 12 years, including Debian, Fedora and Ubuntu.

See also:

Tracked as CVE-2021-4034, PwnKit was discovered by security researchers at Qualys and has existed since at least the middle of 2009. They warn that “this easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration”.

In a write-up about the security flaw, Qualys says:

Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. Other Linux distributions are likely vulnerable and probably exploitable. This vulnerability has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009 (commit c8c3d83,  “Add a pkexec(1) command”).

The video below shows an exploit proof of concept:

What is worrying about the vulnerability, apart from the number of Linux distributions it affects and the fact it allows for root access, is that an exploit is already out in the wild. The good news is that the vulnerability has been known about for a couple of weeks, so distro-makers have had time to come up with patches that should be rolling out in due course.

If you find that a patch is not yet available for the distro you’re running, you can run the following command to remove read/write rights from pkexec:

chmod 0755 /usr/bin/pkexec

More information is available in the post from Qualys.

Image credit: Spectral-Design / Shutterstock

Author: Martha Meyer