Vulnerability Alert: PwnKit
For clients with Linux systems, please be aware that late on Tuesday, January 25th, 2022 (yesterday as of the date of this blog posting), the Linux Foundation and all the major Linux distro publishers (Red Hat, Canonical, SUSE, Debian, et al) publicly announced a vulnerability in the PolKit (formerly PolicyKit) service applicable to ALL current Linux systems they've dubbed PwnKit. It allows a non-root user on a system to elevate their privileges to the root user (wheel group) level. The major distros released patches to this vulnerability, officially CVE-2021-4034, prior to this announcement to minimize any exploitation of PwnKit in the wild.
How urgent is this?
Red Hat rates PwnKit a 7.8 out of ten. It is not as bad as Log4Shell, but definitely something that needs attention. And soon!
What is Red Hat recommending?
Click here to get their remediation steps or reach out to your Moser PoC or EM and we can work with you and your organization to address this quickly.
https://access.redhat.com/security/vulnerabilities/RHSB-2022-001
What access does someone need perform this privilege escalation?
A person needs to have 'local' access to the system. In other words, they must have:
account on the target system
network (ssh) or direct access (console) to the system
If the system is accessible by the general public, this of course makes it a greater concern. If, however, it is behind a firewall or accessible only on the company network(s) (say over VPN?), then the concern focuses on who internally might have an account on the Linux system.
Given the above two, how easy is it to perform this privilege escalation?
VERY!
Without going into details publicly (for the obvious legal reasons), PwnKit is relatively simple to execute and has a reported 100% success rate.
Other Resources & References:
While a Red Hat partner, Moser Consulting focusses on the entire IT eco-system, so here are some resources for greater information sharing and Operators utilizing some of the other Linux distributions.
ZDNet PwnKit article
https://www.zdnet.com/article/major-linux-policykit-security-vulnerability-uncovered-pwnkit/
Ars Technica article
https://arstechnica.com/information-technology/2022/01/a-bug-lurking-for-12-years-gives-attackers-root-on-every-major-linux-distro/
QualSys discovered PwnKit; here's their story
Debian-based patches
https://security-tracker.debian.org/tracker/CVE-2021-4034
Ubuntu(-based) patches
https://ubuntu.com/security/CVE-2021-4034
SUSE remediation information
https://suse.com/security/cve/CVE-2021-4034.html
If there are other details or articles relevant to this issue, please contact us and we will vet the information and update this article as appropriate.
