Upcoming CloudWarden Webinar: GUARD Your Cloud From Threats 24/7 with Horangi's All-New Cloud SOC
logo

EN

Products +

Services +

Customers +

Partners +

Resources +

Here's The Quick Fix For The Pwnkit Vulnerability (CVE-2021-4034) On Ubuntu

Don’t Be Pwned. Before hackers exploit it on your systems or a third party supplier’s system, learn more about the latest Pwnkit local privilege escalation vulnerability (CVE 2021-4034) and what you can do to remove it on Ubuntu.

In January 2022, the Qualys Research Team discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program installed by default on many popular Linux distributions to control system wide privileges in Unix OS. Upon learning about this, Horangi confirmed that this vulnerability also sits within our infrastructure and is a relevant security threat to address

In the spirit of sharing our continuous security monitoring practices, this blog post will show how we fixed the Pwnkit Vulnerability on Ubuntu.

About Polkit’s pkexec

Polkit, also known as PolicyKit, is used by most Linux distributions and any distribution that uses systemd also uses Polkit. Its main usages are to establish communication between non-privileged and privileged users, making it critical in defining and handling authorizations on Unix platforms. Whenever unprivileged users try to execute privileged processes such as admin tasks, Polkit comes into play to prevent that from happening. 

Pkexec is part of the PolicyKit component responsible for controlling system-wide privileges in all Unix OS such as Debian, Ubuntu, Fedora, Redhat, and CentOS, used to execute commands with elevated privileges

Whenever a user tries to run privileged tasks from the terminal on Linux systems e.g. $ sudo, the system will prompt the user to enter a superuser password. Behind the scenes of the typical dialog box that typically appears is Polkit, the system service ensuring that unprivileged users are disallowed from performing actions that only admins can. 

Polkit Dialog Box

For instance, if a user is trying to perform a system update, they would be prevented from doing so unless they have the appropriate admin permissions ie. the password. According to the Principle of Least Privilege (PoLP), regular users should not be able to perform system updates.

Here is a typical example of this password requirement on Terminal:

Admin Password Required Polkit

Threat Insight: How CVE-2021-4034 can be exploited

How this vulnerability can be exploited has been proven by security experts. If an attacker were to have access to any unprivileged user, the attacker can use that to gain root privileges on the vulnerable host. This means that attackers can modify sensitive data within the system, or worse, cause it to crash. Fortunately, the vulnerability cannot be exploited remotely, meaning attackers require local access to the machine before being able to exploit this vulnerability.

Since most Linux distributions mentioned above have the pkexec binary, almost all the popular Linux distributions are affected. 

Mitigating CVE-2021-4034 on Ubuntu

Given that this vulnerability has been undiscovered by security researchers until recently, Horangi has reason to believe attackers will now use this opportunity to perform malicious acts if given the chance to. 

We thus recommend that system administrators perform a simple update to your servers or systems to mitigate the issue.

Major vendors have published fixes for their respective OS, for instance Ubuntu, which has provided an update for PolicyKit to address the vulnerabilities for Ubuntu versions 18.04, 20.04 and 21.04 respectively.

Below, we document the 3 simple steps we took to mitigate vulnerability CVE-2021-4034:

1. Retrieve the updates from the repositories

$ sudo apt update

2. List all packages eligible for upgrade

Upgrade Ubuntu Package

Browse through the packages and pay special attention to these particular packages  to upgrade in relation to the Pwnkit exploit:

  • gir1.2-polkit-1.0: GObject introspection data for PolicyKit
  • libpolkit-agent-1-0: PolicyKit Authentication Agent API
  • libpolkit-agent-1-0-dbgsym: debug symbols for libpolkit-agent-1-0
  • libpolkit-agent-1-dev: PolicyKit Authentication Agent API - development files
  • libpolkit-gobject-1-0: PolicyKit Authorization API
  • libpolkit-gobject-1-0-dbgsym: debug symbols for libpolkit-gobject-1-0
  • libpolkit-gobject-1-dev: PolicyKit Authorization API - development files
  • policykit-1: framework for managing administrative policies and privileges
  • policykit-1-dbgsym: debug symbols for policykit-1
  • policykit-1-doc: documentation for PolicyKit-1

Ubuntu: https://ubuntu.com/security/notices/USN-5252-1

Redhat: https://access.redhat.com/security/vulnerabilities/RHSB-2022-001

CentOS:https://centos.pkgs.org/7/centos-x86_64/polkit-0.112-26.el7.x86_64.rpm.html

Debian: https://security-tracker.debian.org/tracker/CVE-2021-4034

List Ubuntu Update Package 1

List Ubuntu Update Package 2

3. Update your packages

It is now time to execute the updates. Of course, instead of picking the packages manually, you can always update all your packages at once:

$ sudo apt upgrade

This will ensure all your packages are updated. For confirmation, you can always run the first command again.

All Packages Updated Ubuntu

Horangi recommends that you do a quick reboot after updating the packages. Since it involves a security update, it is also always a good practice to clean up your system. That frees up some space, which is always a good thing. 

Simply type in the following command:

$ sudo apt autoremove

What if an update is unavailable on my OS?

As a temporary mitigation step, users can remove the SUID permissions from pkexec, meaning the program will no longer run processes as root.  Take note that any processes that rely on it for normal operations will be affected.

The permission can be removed with the following command:

 # chmod 0755 /usr/bin/pkexec

How to ensure your packages are continuously updated

To avoid attackers from exploiting this vulnerability, we recommend that users apply the latest security patches when practically possible. 

For admins or users who prefer to view every single package installed in your system, below are a few ways to see if your packages are patched to the correct versions  below(no root privileges required):

  • List all packages currently installed in your system:

$ apt list –installed

List All Installed Packages Ubuntu

  • List the currently installed PolicyKit version

$ dpkg -s policykit-1

List currently installed PolicyKit

Fadzli Roslan

Fadzli Roslan is a Security Engineer at Horangi managing the security of IT systems and servers. He enjoys getting his hands dirty when it comes to cloud security, through which he creates cybersecurity best practices that anyone can adopt.

Subscribe to the Horangi Newsletter.

Be the first to hear about Horangi's upcoming webinars and events, up-and-coming cyber threats, new solutions, and the future of cybersecurity from our tech experts.