A high-severity Linux vulnerability capable of granting abusers root access to target endpoints is being exploited in the wild, researchers have warned.
The flaw is found in Polkit’s pcexec component, which can be found in pretty much all major Linux distributions. Tracked as CVE-2021-4034, the flaw is dubbed PwnKit, and is described as a memory corruption bug.
It allows threat actors full root privileges on Linux systems with default setups. What’s more, threat actors can exploit the bug without leaving a trace on the compromised endpoint.
“The current version of pkexec doesn’t handle the calling parameters count correctly and ends trying to execute environment variables as commands,” the NIST security advisory reads.
“An attacker can leverage this by crafting environment variables in such a way it’ll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.”
CISA raises alarm
Cybersecurity researchers from Qualys were the first to spot the flaw, which appears to have been sitting under everyone’s noses for almost 12 years. The flaw was found in virtually all versions of pkexec, the first of which was released back in 2009.
It was also said a proof-of-concept (PoC) is already available online, prompting Qualys to urge Linux admins to patch up as soon as possible. The patches were released by the Polkit development team and can be found on GitLab.
The Cybersecurity and Infrastructure Agency (CISA) also warned users that the flaw is being actively abused, BleepingComputer reported. It gave all Federal Civilian Executive Branch Agencies (FCEB) a deadline, expiring on July 18, to patch up all their Linux endpoints.
Polkit is a set of tools used to control system-wide privileges on Linux, and manages the communications between non-privileged and privileged processes. It was previously called PolicyKit.
Even though security researchers are warning that the flaw is being abused in the wild, they did not say who the threat actors are, or who they are using the flaws against.
