A Vulnerability in Polkit’s pkexec Component Could Allow For Local Privilege Escalation

by CIRT Team

27 Jan 2022

in Security Advisories & Alerts

No Comments

940

DESCRIPTION:
A vulnerability in Polkit’s pkexec component could allow for local
privilege escalation. Polkit (formerly PolicyKit) is a component for
controlling system-wide privileges in Unix-like operating systems. It
provides an organized way for non-privileged processes to communicate
with privileged ones. Polkit is installed by default on all major Linux
distributions. Successful exploitation of this vulnerability could
result in privilege escalation to root privileges.

IMPACT:
A vulnerability in Polkit ‘s pkexec component could allow for local
privilege escalation. The current version of pkexec doesn’t handle the
calling parameters count correctly and ends up trying to execute
environment variables as commands. An attacker can leverage this by
crafting environment variables in such a way it’ll induce pkexec to
execute arbitrary code. Successful exploitation of this vulnerability
could result in privilege escalation to root privileges.

SYSTEM AFFECTED:
* All Linux systems with the policykit package installed
* Ubuntu versions 14.04, 16.04, 18.04, 20.04, 21.10
* Debian Distributions
* Fedora Distributions
* CentOS Distributions
* Red Hat Enterprise Linux 6 Extended Lifecycle Support
* Red Hat Enterprise Linux 7
* Red Hat Enterprise Linux 7.3 Advanced Update Support
* Red Hat Enterprise Linux 7.4 Advanced Update Support
* Red Hat Enterprise Linux 7.6 Advanced Update Support
* Red Hat Enterprise Linux 7.6 Telco Extended Update Support
* Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
* Red Hat Enterprise Linux 7.7 Advanced Update Support
* Red Hat Enterprise Linux 7.7 Telco Extended Update Support
* Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
* Red Hat Enterprise Linux 8
* Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions
* Red Hat Enterprise Linux 8.2 Extended Update Support
* Red Hat Enterprise Linux 8.4 Extended Update Support

RECOMMENDATIONS:
A vulnerability in Polkit ‘s pkexec component could allow for local
privilege escalation. The current version of pkexec doesn’t handle the
calling parameters count correctly and ends up trying to execute
environment variables as commands. An attacker can leverage this by
crafting environment variables in such a way it’ll induce pkexec to
execute arbitrary code. Successful exploitation of this vulnerability
could result in privilege escalation to root privileges.

REFERENCES:
We recommend the following actions be taken:
Apply appropriate patches to vulnerable systems immediately after
appropriate testing.
* If a patch is not available for your distribution of Linux, you can
remove the SUID-bit from pkexec as a temporary mitigation: chmod 0755
/usr/bin/pkexec
* Remind users not to visit un-trusted websites or follow links provided
by unknown or un-trusted sources.
* Inform and educate users regarding the threats posed by hypertext
links contained in emails or attachments especially from un-trusted sources.

Published: 27 January 2022, 15:17:40 BST