Hiding in Plain Sight: Researchers Discover Critical Linux Bug

It’s not been an easy time for system administrators of late. Many are still dealing with the fallout from the various Log4j vulnerabilities, which turned the IT world upside down over the past two months. Unfortunately, the bad news keeps on coming. The latest discovery is an easy-to-exploit bug in a popular Linux program called pkexec.

The flaw has been hiding in plain sight for the past 12+ years. Fortunately, the researchers who discovered the bug have been proactively working with vendors and almost all major distributions had fixes in their upstream repositories at the time of the announcement.

So what is it, how might it impact your organization and how can Tanium help?

What is PwnKit?

The vulnerability (CVE-2021-4034) has already been given a snappy moniker by the researchers at Qualys that found it: PwnKit. That’s because pkexec is found in an application-level toolkit known as Polkit (formerly PolicyKit).

Polkit is used to enable non-privileged processes to communicate with privileged processes in Unix-like operating systems. And using pkexec, it enables users to execute commands with high privileges.

There are several reasons why PwnKit is so dangerous:

• The vulnerability is present in all Polkit versions from 2009 onwards
• Pkexec is installed by default on all major Linux distributions
• It’s easy to exploit, and exploit code was available within hours of the public disclosure
• It could allow a threat actor to gain full root privileges on a targeted system, enabling them to do serious damage

Why should you care?

PwnKit is not remotely exploitable. But it can be leveraged if an attacker logged in to a targeted system first as a non-privileged. That’s fairly easy to do these days, either by exploiting another bug, or using breached or brute-forced user credentials.

Leveraging PwnKit, an attacker can then escalate privileges all the way to the root. With these system rights, they could steal highly confidential data, and deploy ransomware and other malware everywhere across your organization.

If you’re running Ubuntu, Debian, Red Hat or CentOS, the chances are you’re running a vulnerable version of pkexec. Other Linux distributions are said to be “likely vulnerable and probably exploitable”— as might Solaris and other Unix-like operating systems.

Fortunately, patches are available, with Debian, Ubuntu and Red Hat already issuing advisories. It’s strongly recommended that you patch CVE-2021-4034 (aka PwnKit) as soon as possible. If no patches are available, removing the SUID-bit from pkexec will mitigate the exploitability but may impact operations and should be seen as a mitigation of last resort when patching is not possible in a timely manner, and only after thorough testing.

How can Tanium help?

Tanium can provide the visibility and control necessary to find vulnerable pkexec instances, identify signs of exploitation and remediate the problem across your IT environment. Here’s how:

Tanium Interact: Find potentially vulnerable instances with the Tanium platform. If patching is not immediately possible, organizations can test and apply the mitigation of removing the SUID bit while preparing to appropriately patch.

Tanium Patch: Deliver patches as required to any supported versions of Linux distributions running in your environment. Tanium Patch enables organizations to patch at speed and scale, no matter how many endpoints are running.

Tanium Comply: Monitor the reduction in the vulnerability attack surface over time to identify your risk and compliance exposure.

If you would like to see how Tanium can help you mitigate this vulnerability or any others, contact us today.