Alert Logic is actively investigating a new local privilege escalation vulnerability, CVE-2021-4034, in Polkit’s pkexec tool. Polkit is a SUID-root program that is installed by default on every main Linux distribution such as Ubuntu, Debian, Fedora, CentOS, Red Hat, and SUSE, and is used for controlling system-wide privileges. The pkexec tool is a command line tool that defines which authorized user can execute a program as another user, making this a target for malicious attackers.
Alert Logic IDS and log appliances have existing mitigating controls which prevents any escalation of user privileges and are not impacted by this vulnerability.
CVE-2021-4034 (with a CVSS v3 base score of 7.8) gives any unprivileged user full root privileges on a vulnerable host. A local user account is required to exploit this vulnerability; however, the exploit is reliable and easy to execute. Currently, pkexec does not handle the calling parameters count correctly and tries to execute environment variables as commands; malicious attackers can take advantage of this by crafting environment variables to induce pkexec to execute arbitrary code.
For more information on PwnKit and privilege escalation, refer to the following link.
Alert Logic Coverage
Vulnerability Scanning: Alert Logic has released coverage for Linux distributions, including Debian, Red Hat, CentOS, Ubuntu, Oracle Linux, Amazon Linux, and SUSE on the internal auth scan.
Network IDS: At this time, it is not expected that IDS is appropriate for this threat; however, Alert Logic will continue this assessment.
Web Application Firewall: At this time, it is not expected that WAF is appropriate for this threat; however, Alert Logic will continue this assessment.
Log Management: Alert Logic has released log analytics to help our Security Operations Center monitor customer environments for exploitation of this vulnerability.
Recommendations for Mitigation
If no patches are available for your operating system, you can remove the SUID-bit from pkexec as a temporary mitigation, for example:
# chmod 0755 /usr/bin/pkexec
This section will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click FOLLOW at the top of this article. You must be signed into the Support Center using your Alert Logic product credentials to follow this article.