{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-007.pdf"
    },
    "title": "Serious Vulnerability in All Major Linux Distributions",
    "serial_number": "2022-007",
    "publish_date": "27-01-2022 17:27:00",
    "description": "On January 25, Polkit's authors released a patch for their software fixing a severe vulnerability that could lead to local privilege escalation on all Major Linux distributions (including Ubuntu, Debian, Fedora, and CentOS).<br>Exploits for this vulnerability already exist in the wild.<br>It is recommended to update Linux distributions as soon as possible.",
    "url_title": "2022-007",
    "content_markdown": "---\ntitle: 'Serious Vulnerability in\u00a0All\u00a0Major\u00a0Linux\u00a0Distributions'\nversion: '1.0'\nnumber: '2022-007'\ndate: 'January 27, 2022'\n---\n\n_History:_\n\n* _27/01/2022 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn January 25, Polkit's authors released a patch for their software fixing a severe vulnerability that could lead to local privilege escalation on all Major Linux distributions (including Ubuntu, Debian, Fedora, and CentOS) [1,2].\n\n**Exploits for this vulnerability already exist in the wild**.\n\nIt is recommended to update Linux distributions as soon as possible.\n\n# Technical Details\n\nThe vulnerability, identified as `CVE-2021-4034`, has a severity score of 7.8 out of 10. This is a memory corruption vulnerability caused by the way arguments are read by the `pkexec` component of Polkit. This would allow to reintroduce an _unsecure_ (because it leads to the execution of arbitrary libraries) environment variable into `pkexec`'s environment that would normally be removed before the program execution [2].\n\nThis vulnerability is really easy to exploit.\n\n# Affected Products\n\nAll versions of Polkit since the first introduction of `pkexec` are vulnerable (since version 0.113 from 2009). The authors have integrated a fix in the last published release, but has not created a specific release number [3].\n\n# Recommendations\n\nCERT-EU recommends updating all running Linux distributions that provided a backport of the fix [4, 5, 6, 7]:\n\n- Ubuntu 14.04, 16.04 ESM\n- Ubuntu 18.04, 20.04, and 21.04\n- RedHat at Workstation and Enterprise products for supported architectures, as well as for extended life cycle support, TUS, and AUS.\n- Debian Stretch, Buster, Bellseye, unstable\n\nA reboot might be necessary.\n\n## Workaround\n\nA temporary mitigation is available to prevent from the privilege escalation vulnerability:\n\n```\nchmod 0755 /usr/bin/pkexec\n```\n\n## Analysis\n\nCERT-EU also recommends searching for exploitation attempts by checking the logs against the following strings:\n\n```\n\"The value for the SHELL variable was not found the /etc/shells file\"\nand/or\n\"The value for environment variable [\u2026] contains suspicious content.\"\n```\n\nHowever, Qualys notes that exploiting PwnKit is possible without leaving a trace [2].\n\n# References\n\n[1] <https://www.bleepingcomputer.com/news/security/linux-system-service-bug-gives-root-on-all-major-distros-exploit-released/>\n\n[2] <https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt>\n\n[3] <https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/104/diffs>\n\n[4] <https://ubuntu.com/security/notices/USN-5252-2>\n\n[5] <https://ubuntu.com/security/notices/USN-5252-1>\n\n[6] <https://access.redhat.com/security/security-updates/#/?q=polkit&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct>\n\n[7] <https://security-tracker.debian.org/tracker/CVE-2021-4034>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>27/01/2022 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On January 25, Polkit's authors released a patch for their software fixing a severe vulnerability that could lead to local privilege escalation on all Major Linux distributions (including Ubuntu, Debian, Fedora, and CentOS) [1,2].</p><p><strong>Exploits for this vulnerability already exist in the wild</strong>.</p><p>It is recommended to update Linux distributions as soon as possible.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability, identified as <code>CVE-2021-4034</code>, has a severity score of 7.8 out of 10. This is a memory corruption vulnerability caused by the way arguments are read by the <code>pkexec</code> component of Polkit. This would allow to reintroduce an <em>unsecure</em> (because it leads to the execution of arbitrary libraries) environment variable into <code>pkexec</code>'s environment that would normally be removed before the program execution [2].</p><p>This vulnerability is really easy to exploit.</p><h2 id=\"affected-products\">Affected Products</h2><p>All versions of Polkit since the first introduction of <code>pkexec</code> are vulnerable (since version 0.113 from 2009). The authors have integrated a fix in the last published release, but has not created a specific release number [3].</p><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU recommends updating all running Linux distributions that provided a backport of the fix [4, 5, 6, 7]:</p><ul><li>Ubuntu 14.04, 16.04 ESM</li><li>Ubuntu 18.04, 20.04, and 21.04</li><li>RedHat at Workstation and Enterprise products for supported architectures, as well as for extended life cycle support, TUS, and AUS.</li><li>Debian Stretch, Buster, Bellseye, unstable</li></ul><p>A reboot might be necessary.</p><h3 id=\"workaround\">Workaround</h3><p>A temporary mitigation is available to prevent from the privilege escalation vulnerability:</p><pre><code>chmod 0755 /usr/bin/pkexec\n</code></pre><h3 id=\"analysis\">Analysis</h3><p>CERT-EU also recommends searching for exploitation attempts by checking the logs against the following strings:</p><pre><code>\"The value for the SHELL variable was not found the /etc/shells file\"\nand/or\n\"The value for environment variable [\u2026] contains suspicious content.\"\n</code></pre><p>However, Qualys notes that exploiting PwnKit is possible without leaving a trace [2].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/linux-system-service-bug-gives-root-on-all-major-distros-exploit-released/\">https://www.bleepingcomputer.com/news/security/linux-system-service-bug-gives-root-on-all-major-distros-exploit-released/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt\">https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/104/diffs\">https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/104/diffs</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://ubuntu.com/security/notices/USN-5252-2\">https://ubuntu.com/security/notices/USN-5252-2</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://ubuntu.com/security/notices/USN-5252-1\">https://ubuntu.com/security/notices/USN-5252-1</a></p><p>[6] <a rel=\"noopener\" target=\"_blank\" href=\"https://access.redhat.com/security/security-updates/#/?q=polkit&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct\">https://access.redhat.com/security/security-updates/#/?q=polkit&amp;p=1&amp;sort=portal_publication_date%20desc&amp;rows=10&amp;portal_advisory_type=Security%20Advisory&amp;documentKind=PortalProduct</a></p><p>[7] <a rel=\"noopener\" target=\"_blank\" href=\"https://security-tracker.debian.org/tracker/CVE-2021-4034\">https://security-tracker.debian.org/tracker/CVE-2021-4034</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}