On Tuesday (25 January 2022), Qualys announced a local privilege escalation vulnerability (CVE-2021-4034) affecting several distributions of Linux such as Fedora, Debian, Ubuntu, CentOS and more. The disclosed vulnerability exploits Polkit opensource application that negotiates the interaction between privileged and unprivileged users. This vulnerability is both simple and universal. This vulnerability is of ‘’Important’’ severity and can be used to easily compromise the confidentiality, integrity and availability of a system.
Vulnerability disclosure timelines:
- 2021-11-18: Advisory sent to secalert@redhat.
- 2022-01-11: Advisory and patch sent to distros@openwall.
- 2022-01-25: Coordinated Release Date (5:00 PM UTC).
Brace168 follows industry recognised detection and response methodology and incident response practice. To avoid confusion and undue panic, Brace168 has conducted a series of tests and investigations of this CVE, which as a result has presented the following triaged findings:
Brace168 SOC Security Analysts have:
- Assessed the exposure across our internal systems, to which there was not any adverse findings;
- Any of Brace168 managed customers, which there was not any adverse findings;
- Provided remediation assistance for the vulnerable systems that were identified in our customer base, and;
- Implemented rules in our SIEM to identify attempted exploits.
To prevent exploitation of this vulnerability we advise our customer to urgently:
- Assess the vulnerability and apply the patch applicable to the Linux distribution
- If a patch is not available or your business cannot support the emergency change, follow the work arounds as mentioned in the reference section, for example removing the SUID bit from pkexec with (# chmod 0755 /usr/bin/pkexec)
- Communicate the urgency of this vulnerability to suppliers and partners, to minimise any potential threat to your supply chain.
Brace168 continues to monitor this critical vulnerability across our systems and those of our customers, if there are any material changes, we will advise our customer base in a timely manner.
In the meantime, if you have any concerns regarding this highly rated CVE please contact Brace168 SOC or account management if we can help in identification of this exploit and remediation efforts.
CVE – CVE-2021-4034 (mitre.org): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034
Exploit flaw in Linux policykit: https://www.darkreading.com/vulnerability-management/experts-urge-firms-to-patch-trivial-to-exploit-flaw-in-linux-policykit
Linux distributions response to CVE-2021-4034:
CVE-2021-4034 | Ubuntu: https://ubuntu.com/security/CVE-2021-4034
CVE-2021-4034 (debian.org): https://security-tracker.debian.org/tracker/CVE-2021-4034
RHSB-2022-001 Polkit Privilege Escalation – (CVE-2021-4034) – Red Hat Customer Portal: https://access.redhat.com/security/vulnerabilities/RHSB-2022-001