Every Linux Distro Is Vulnerable To A Bug That Could Give Hackers Complete Control
Even with malware attacks against Linux on the rise, a major security vulnerability has somehow been lurking in every Linux distribution for a dozen years. Just hours after the bug became public, a proof-of-concept (PoC) exploit showed up in the wild. The problem lies within a system utility called Polkit, which grants attackers root privileges on Linux systems.
Polkit, formerly known as PolicyKit, is a toolkit that helps system administrators manage privileges. In Unix-like operating systems Polkit gives administrators a way to allow non-privileged processes to communicate with privileged ones.
Cybersecurity firm Qualys has called the exploit “PwnKit,” and says it “allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.”
The pkexec executable, very similar to the sudo command, allows authorized users to run commands as if they were another user. With no user specified, just as sudo does, pkexec runs as root, the administrative super user.
Bharat Jogi, directory of vulnerability and threat research at Qualys, also said the exploit “has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009.”
On November 18, 2021, security analysts assigned the flaw the identifier CVE-2021-4034. They advised Linux vendors about it, and Red Hat and Ubuntu have already issued patches to plug the hole.
PwnKit uses an out-of-bounds write allowing a command to reintroduce “insecure” environment variables into pkexec’s environment. It can’t be exploited remotely to gain access, but an attacker who’s already managed to log into a system can use it to gain full root privileges. The Control Web Panel security exploit, for example, could allow access.
This threat is even worse, because a PoC is already in the wild. Patches to fix the exploit need to be applied as soon as possible, unless you really want some hacker to pwn your Linux box.