An easily exploitable vulnerability that can allow an attacker to gain root privileges has been present in a component of every major Linux distribution for 12 years. The flaw requires local access to the target machine, but researchers have developed a simple exploit for it and experts worry it could soon make its way into attackers’ arsenals.
Researchers at Qualys discovered the vulnerability (CVE-2021-4034) in the Pkexec portion of the polkit package in November and reported it to the Red Hat security team, which handles response for the Linux community. Polkit is designed to handle policies to enable unprivileged processes to communicate with privileged ones. Pkexec allows a user to run commands as another user according to policies set by polkit. The bug that Qualys discovered allows an unprivileged user to get root access to the system.
Default installations of Ubuntu, Fedora, Debian, and CentOS are known to be vulnerable. The patch for the vulnerability was released to the Linux community on Jan. 11 and the vulnerability was disclosed Tuesday.
The bug is the result of Pkexec not validating the number of arguments passed to it. Rob Joyce, director of cybersecurity at the NSA, said on Twitter Wednesday that he’s concerned with the ease of exploitation for this vulnerability.
“CVE-2021-4034 in a system tool called Polkit has me concerned. Easy and reliable privilege escalation preinstalled on every major Linux distribution. Patch ASAP. There are working POCs in the wild,” Joyce said.
The good news is that patches are available for the known-affected Linux distributions, and there’s also a simple mitigation for systems that can’t be patched right away. Removing the SUID-bit from Pkexec mitigates the bug, the Qualys team said.
“This issue eventually leads to attempts to execute environment variables as commands. When properly exploited, this issue leads pkexec to execute arbitrary code as a privileged user, granting the attacker a local privilege escalation,” the Red Hat advisory says.
The exploit that the Qualys team developed allows an attacker to introduce an insecure environmental variable into the Pkexec environment.
"Easy and reliable privilege escalation preinstalled on every major Linux distribution. Patch ASAP."
“Our question is: to successfully exploit this vulnerability, which ‘unsecure’ variable should we re-introduce into pkexec's environment? Our options are limited, because shortly after the out-of-bounds write, pkexec completely clears its environment,” the Qualys advisory says.
“The answer to our question comes from pkexec's complexity: to print an error message to stderr, pkexec calls the GLib's function g_printerr() (note: the GLib is a GNOME library, not the GNU C Library, aka glibc); for example, the functions validate_environment_variable() and log_message() call g_printerr. g_printerr() normally prints UTF-8 error messages, but it can print messages in another charset if the environment variable CHARSET is not UTF-8 (note: CHARSET is not security sensitive, it is not an "unsecure" environment variable). To convert messages from UTF-8 to another charset, g_printerr() calls the glibc's function iconv_open()
“Alternatively, the environment variable GCONV_PATH can force iconv_open() to read another configuration file; naturally, GCONV_PATH is one of the "unsecure" environment variables (because it leads to the execution of arbitrary libraries), and is therefore removed by ld.so from the environment of SUID programs. Unfortunately, CVE-2021-4034 allows us to re-introduce GCONV_PATH into pkexec's environment, and to execute our own shared library, as root.”
The exploit technique that Qualys researchers developed does leave log traces, but there are other techniques that would not.
“This exploitation technique leaves traces in the logs (either “The value for the SHELL variable was not found the /etc/shells file” or “The value for environment variable […] contains suspicious content”). However, please note that this vulnerability is also exploitable without leaving any traces in the logs,” Qualys researcher Bharat Jogi said in a post.