This message was sent to U-M IT groups on January 26, 2022. It is intended for U-M IT staff who are responsible for university servers running Linux systems with Polkit's pkexec component installed.
Summary
A vulnerability in Polkit's pkexec component is present in the default configuration of all major Linux distributions and can be exploited to gain full root privileges on the system. Apply appropriate patches to vulnerable systems immediately after appropriate testing.
Problem
Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. The pkexec program could be used by local attackers to increase privileges to root on default installations of Ubuntu, Debian, Fedora, and CentOS.
Affected Systems
All Linux systems with the policykit package installed:
- Ubuntu versions 14.04, 16.04, 18.04, 20.04, 21.10
- Debian Distributions
- Fedora Distributions
- CentOS Distributions
- Red Hat Enterprise Linux 6 Extended Lifecycle Support
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 7.3 Advanced Update Support
- Red Hat Enterprise Linux 7.4 Advanced Update Support
- Red Hat Enterprise Linux 7.6 Advanced Update Support
- Red Hat Enterprise Linux 7.6 Telco Extended Update Support
- Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
- Red Hat Enterprise Linux 7.7 Advanced Update Support
- Red Hat Enterprise Linux 7.7 Telco Extended Update Support
- Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions
- Red Hat Enterprise Linux 8.2 Extended Update Support
- Red Hat Enterprise Linux 8.4 Extended Update Support
Action Items
The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21). Immediately apply mitigations to any systems that allow remote access without requiring Duo or other two-factor authentication, including login servers and web servers. Otherwise, apply appropriate patches to vulnerable systems immediately after appropriate testing. See the following for update instructions:
If a patch is not available for your distribution of Linux or if you are unable to immediately apply patches, you can remove the SUID-bit from pkexec as a temporary mitigation: chmod 0755 /usr/bin/pkexec
Threats
This vulnerability is extremely easy to exploit and exploitation code has been released to the public.
Technical Details
The current version of pkexec doesn't handle the calling parameters count correctly and ends up trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way to induce pkexec to execute arbitrary code as root.
Detection
For Red Hat systems, a vulnerability detection script can determine if your system is currently vulnerable to this flaw. To download the detection script, see Diagnose: RHSB-2022-001 Polkit Privilege Escalation - (CVE-2021-4034).
How We Protect U-M
-
ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.
-
IA works closely with others in Information Technology Services (ITS) and U-M units to ensure timely patching of systems.
-
IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
-
IA provides vulnerability management guidance to the university.
Information for Users
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
References
-
PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034), Qualys, 1/25/22
-
Linux system service bug gives root on all major distros, exploit released, Bleeping Computer, 1/25/22
-
CVE-2021-4034, The Mitre Corporation, 11/29/21
-
Red Hat CVE-2021-4034, Red Hat, 1/25/22
-
Ubuntu USN-5252-2: PolicyKit vulnerability, Ubuntu, 1/25/22
-
Ubuntu USN-5252-1: PolicyKit vulnerability, Ubuntu, 1/25/22
-
Debian CVE-2021-4034, Debian, 1/25/22