"Linux Bug in All Major Distros: 'An Attacker's Dream Come True'"
Qualys researchers warn of a 12-year-old memory-corruption bug in Polkit's pkexec tool, which impacts every major Linux distribution. According to the researchers, the exploitation of the vulnerability, tracked as CVE-2021-4034, allows any unprivileged user to gain full root access on the vulnerable host. Polkit allows non-privileged processes to communicate with privileged processes in an organized manner. It can be used to execute commands with elevated privileges using the pkexec command, followed by the command intended to be executed with root permission. The Qualys researchers dubbed the vulnerability PwnKit and developed a proof-of-concept (PoC) exploit that allowed them to obtain root privileges on Ubuntu, Debian, Fedora, and CentOS default installations. They also suspect that other Linux distributions are likely vulnerable and exploitable. Most Linux distributions are working on releasing patches or have documented temporary mitigations, including Red Hat, Debian, and Ubuntu. It has been noted that bugs such as those that have been lurking in networks for more than a decade, present significant problems for security teams as they often do not know where to find all the instances of the newly troubling piece of their organization's infrastructure. Like the open-source Apache Log4j logging library, pkexec is widely-used across many organizations. Greg Fitzgerald, the co-founder of Sevco Security, calls on organizations to prioritize patching Linux machines. Fitzgerald also pointed out that this issue further emphasized the need for Software Bill of Materials (SBOMs). Many organizations do not have an accurate IT asset inventory that dates back more than a decade. Therefore, an organization may still be susceptible to the PwnKit vulnerability even if they patch all known machines. An organization cannot apply a patch to an asset unknowingly connected to its network. This article continues to discuss the findings and concerns regarding the PwnKit vulnerability.
Threatpost reports "Linux Bug in All Major Distros: 'An Attacker's Dream Come True'"