Tech Solvency - The Story So Far

Contents

• Key updates
• Context - who (and what) is affected
• Summaries
• Technical analysis
• Background
• Remediation
• Affected (and unaffected) products
• Other product and tool lists
• Detection and testers
• Exploitation
• News and posts

Key updates

• Issue due to failure to strip unsecure environment variables (pkexec does this similarly to how sudo strips them)
• polkit more likely to be present on desktop-grade systems, less so on "server"-dedicated distro versions
• polkit s an optional port/pkg on FreeBSD, NetBSD, and OpenBSD to support deskto use cases, but not installed in base OS or by default
• Debian and derivatives use a fork of polkit with different version numbering - see GitHub blog

Context - who (and what) is affected

• All Linux with any version of polkit / pkexec - bug was present in initial version
• All major Linux distributions
• Likely most or all downstream projects, appliances, and IoT
• Windows Subsystem for Linux
• Chromebook Linux emulation layer?

Scope / seriousness

• Classic, trivial local privilege escalation - get on the box via any other means, and instantly become root
• Disclosed to vendors on November 18, 2021 by Qualys - vendors coordinating response until January 25
• CVSS 7.8

back to top

Summaries

• MITRE CVE (not yet public)
• NVD
• commit with fix
• ZDnet article is a good summary

back to top

Technical analysis

• Original Qualys disclosure blog post and security advisory and Vimeo talk/demo
• Openwall oss-security post (Qualys)
• VulDB
• Hacker News reply detailing what polkit and pkexec are - sort of like sudo? - used by "systemd, logind, NetworkManager, udisks, flatpack, fwupd, timedate"
• Other claimed dependencies: rtkit, colord, gparted (ref)
• kernel.org thread
• Sophos
• GitHub blog - good details
• .

back to top

Background

• Wikpedia polkit article
• Arch wiki polkit article
• OpenSUSE doc about authorization with Polkit - good details
• Can argc be zero on a POSIX system? (Stack Overflow)

back to top

Remediation

Direct remediation:

• Apply patches from vendors - this one is pretty simple

Mitigations - official

• Strip setuid bit - see below

Mitigations - easy but may have tradeoffs

• # chmod 0755 /usr/bin/pkexec
• Remove polkit and/or libpolkit (may be feasible for servers)

Mitigations - harder

• If you know you don't need polkit functionality, consider a shell wrapper to trap and log (such as akhepcat's)

Mitigations - ecosystem

• Fix likely posted to mailing list in 2013 - but the post may have bounced

back to top

Affected (and unaffected) products

See other product and tool lists if your product is not listed here)

Note: this list focuses primarily on customer-controlled components.

Disclaimer: caching/summaries is best effort and may be out of date or incorrect - always validate for yourself

Claimed patched (previously vulnerable, now remediated/mitigated or updates available)

• Alma (per @passthejoe tweet)
• Alpine Linux (Ariadne Conill blog post)
• Arch (commit)
• CentOS 7 (official community reply)
• CentOS Stream 8 (per @passthejoe tweet) - as of Thu 27 Jan 2022 05:13:16 PM UTC
• CloudLinux (official blog); see also secondary community post
• cPanel (though many servers simply won't have polkit installed)
• Debian - sid, stretch, buster, and bullseye
• Fedora
• Gentoo
• Kali - tweet
• Manjaro (official community reply)
• Mint (community reply)
• Raspbian / Raspberry Pi OS - reported as patched but still looking for public references
• Red Hat
• Rocky (per @passthejoe tweet)
• Sailfish OS
• Slackware (secondary community post - 14.1, 14.2, and -current patched)
• SUSE and patch announcement
• Ubuntu and variants - patched back to 14.04?
• Windows Subsystem for Linux (WSL) - not covered by Windows Update

Confirmed affected - version differences, workarounds suggested, status pending, or not yet analyzed

• CentOS Stream 9 (per @passthejoe tweet)
• Broadcom Gateway 10.x

Claimed unaffected / not vulnerable (no action taken or required)

• BSDs (at the OS level - but see ports below) - there may also be BSD-based appliances, but they're less likely to have OS-based GUIs (as opposed to web GUIs)
• CentOS 7 ?
• Illumos (no pkexec included) - tweet
• macOS (no systemd, no polkit)
• Untangle

Claimed unaffected by default (but configurable to be affected)

• FreeBSD - optional port - sysutils/polkit - Bugzilla
• NetBSD - optional port - pkg page, pkgsrc fix commit
• OpenBSD - optional port - pkg page, port fix commit
• .

Multi-product - vulnerable, mixed, or not yet fully determined

• Almost all Linux-based appliances and platforms likely affected, so individual tracking will be best-effort
• Amazon Linux
• F5 (official)
• NetApp - states "Multiple NetApp product incorporate PolicyKit", but then states "None" for affected products(???)
• VMware - deemed not urgent, due to small footprint (polkit often not present, etc.)

Potentially affected (circumstantially affected, or behind support wall)

• .

Not yet determined, non-commital, or mixed/controversial

• Chrome Linux emulation
• Solaris?

Indirect / integration known

• .

Other rollup lists

• .

back to top

Detection

Finding potentially vulnerable software

• $ ls -la /usr/bin/pkexec - but note that the version number wasn't updated :( (but many package systems likely have an incremented version)
• $ which -a /usr/bin/pkexec
• Gentoo - dependencies: $ emerge -cpv polkit
• Debian family: dpkg -l | grep polkit - see Ubuntu notice for patched versions
• Red Hat family - dependencies: rpm -q --whatrequires polkit - may include: tuned
• jfrog/polkit-tools/tree/main/pwnkit_detector - direct checks, not dependent on package versions
• CrowdSec

Detecting exploitation attempts / threat hunting

• Per Qualys:

      Important: this exploitation technique leaves traces in the logs (either
      "The value for the SHELL variable was not found the /etc/shells file" or
      "The value for environment variable [...] contains suscipious content").
      However, please note that this vulnerability is also exploitable without
      leaving any traces in the logs, but this is left as an exercise for the
      interested reader.
      

• Can also be exploited without leaving any logs, per multiple sources
• If you know you don't need polkit functionality, consider a shell wrapper to trap and log (such as akhepcat's)
• Trustwave guide

Vulnerability scanning and testing

• .

Other defense stacks and guides

• .
• TryHackMe demo room

back to top

Exploitation

Trivial - so expect many, this list will not be exhaustive

• blasty-vs-pkexec.c - at the top because it was the first one I saw :)
• blasty-vs-pkexec2.c - blasty version 2 - should be more portable
• PeterGottesman/pwnkit-exploit - more portable, works even if polkit disables GVFS
• .
• arthepsy/CVE-2021-4034 (and PacketStorm ref)
• berdav/CVE-2021-4034
• dzonerzy/poc-cve-2021-4034
• Golang version
• ly4k/PwnKit

back to top

News and posts

• NSA Cybersecurity Directory Rob Joyce summarizes it as of concern
• Ars Technica
• Avertium
• Bleeping Computer
• BugAlert.org
• Computer Weekly
• CSO Online
• Dark Reading
• Duo
• DirectAdmin thread - mentions FreeBSD port
• The Hacker News
• LWN thread
• Neowin
• Rapid7 DB entry
• Reddit r/sysadmin
• The Register
• Y Combinator Hacker News
• SANS Internet Storm Center and diary entry
• Security Affairs
• Security Week
• Threatpost
• Slashdot
• Snyk
• ZDnet

back to top

Return to The Story So Far (list of notable security events)

Follow @techsolvency for security-only updates, or @TychoTithonus (me) for general/personal (and password cracking / hashcat stuff)