Polkit's pkexec (PwnKit) Local Privilege Escalation Vulnerability - CVE-2021-4034

Polkit's pkexec (PwnKit) Local Privilege Escalation Vulnerability - CVE-2021-4034

1 min read

On Jan 25th 2022, a critical vulnerability aliased “PwnKit” or CVE-2021-4034 was publicly released. 

Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission). 

PwnKit is a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.

The vulnerability is labelled as PwnKit (CVE-2021-4034: PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034)) and successful exploitation of this vulnerability allows any unprivileged user(local) to gain root privileges on the vulnerable host. 

Affected Products 

Product Name 

Affected Version 

Accops HySecure Gateway 

All Versions 

Accops HyID 

All Versions 

Accops Reporting Server 

All Versions 

Linux Shared Hosted Desktop with Ubuntu OS 

All Versions 

Linux Shared Hosted Desktop with CentOS OS

All Versions 

Accops HyDesk devices (with Ubuntu based OS) 

All Versions 

 

Accops has released an Advisory (ASA-2022-0102), where fixes for products affected by this vulnerability have been provided: https://support.accops.com/en/support/solutions/articles/12000085471  

If you are running Linux based VDI, we recommend updating your Linux gold master image and other cloned Linux VMs by installing latest OS patches to get the updated polkit package from the distribution upgrade site. 

For more help, please write to: support@accops.com or open a support ticket at our support portal.