A critical vulnerability has been identified that requires the immediate attention of most Linux administrators and their users. If you are an administrator of a system running Linux, please review your builds for this vulnerability and mitigate it as soon as possible. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host!
If you are a user of a Linux system, please contact your Linux system administrator to make sure they are fixing this vulnerability.
Update: An exploit has already emerged in the public space, less than three hours after Qualys published the technical details for PwnKit
Threat:
A critical vulnerability in a program installed by default in most Linux distributions has been identified. Versions of polkit’s pkexec from 2009 onwards are vulnerable.
Threat details below are copied from: https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.
Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. Other Linux distributions are likely vulnerable and probably exploitable. This vulnerability has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009 (commit c8c3d83, “Add a pkexec(1) command”).
Permanent mitigation:
Patch ASAP when updates are provided for your Operating System (OS) vendor.
Temporary mitigation:
If no patches are available for your operating system, you can remove the SUID-bit from pkexec as a temporary mitigation: chmod 0755 /usr/bin/pkexec
More information:
Sequoia: A Local Privilege Escalation Vulnerability in Linux’s Filesystem Layer (CVE-2021-33909)