Polkit’s pkexec (PwnKit) Local Privilege Escalation Vulnerability – CVE-2021-4034
On Jan 25th 2022, a critical vulnerability aliased “PwnKit” or CVE-2021-4034 was publicly released.
Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).
PwnKit is a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.
The vulnerability is labelled as PwnKit (CVE-2021-4034: PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034)) and successful exploitation of this vulnerability allows any unprivileged user(local) to gain root privileges on the vulnerable host.
Accops HySecure Gateway
Accops Reporting Server
Linux Shared Hosted Desktop with Ubuntu OS
Linux Shared Hosted Desktop with CentOS OS
Accops HyDesk devices (with Ubuntu based OS)
Accops has released an Advisory (ASA-2022-0102), where fixes for products affected by this vulnerability have been provided: https://support.accops.com/en/support/solutions/articles/12000085471
If you are running Linux based VDI, we recommend updating your Linux gold master image and other cloned Linux VMs by installing latest OS patches to get the updated polkit package from the distribution upgrade site.
You may also like
The year 2022 marked a significant landmark for Accops as we completed a decade of our existence. When we look back on where we started
Over the past few decades, the digital world has revolutionized itself manifold. Organizations no longer assume that trusted objects only exist inside, and untrusted ones
In the wake of the recent surge in incidents of Internet banking frauds, RBI has issued a series of guidelines for banks. These guidelines are