Learn more about CVE-2021-4034, a newly discovered vulnerability in PolKit software used in major Linux distributions.
Another critical open source vulnerability has been discovered. This time it’s in a popular component used in major Linux distributions and some UNIX-like operating systems, so it has the potential to impact software development organizations far and wide. PolKit, which provides methods for nonprivileged processes to interact with privileged ones, has been assigned CVE-2021-4034 and dubbed “PwnKit.”
CVE-2021-4034 has the potential to grant even inexperienced actors an easy way to access a multitude of systems and use administrative privileges. By chaining memory corruption in pkexec and a few other weaknesses in the software, unprivileged local users can gain full root privileges and then move through the vulnerable host’s network to steal sensitive data and lay the groundwork for additional attacks with increased stealth, persistence, and capability.
Exploiting this vulnerability does require a threat actor to already have local access, because the vulnerable components don’t, for instance, listen for external traffic. But the ease with which even an inexperienced attacker can exploit it is cause for the heightened security level.
In addition, security researchers have already independently verified the vulnerability. They were able to develop an exploit that gave them full root privileges, providing confirmation that this bug is easily exploitable across a range of different targets.
While we wait for the NVD to publish its scoring on CVE-2021-4034, Synopsys has already issued a Black Duck® Security Advisory, BDSA-2022-0246, and assigned it a CVSS score of 7.8.
The 7.8 rating makes it a “high-severity” vulnerability, meaning you should take action right away. Luckily, there is a patch already available for this vulnerability, and you should immediately upgrade your systems to the latest version. There is also a workaround that functions as a stop-gap while you evaluate your systems and perform necessary patches and upgrades.
The news of this vulnerability comes as we’re still picking up the pieces from the Log4j vulnerability disclosed in December, so it serves as a stark reminder of the frequency with which open source vulnerabilities can surface. Vulnerabilities such as these often necessitate a significant overhaul, but organizations with consistent visibility into the software that powers their business can spend less time on exposure evaluation and more time on remediation. This is what makes a continuously updated software Bill of Materials (SBOM) the key to getting and staying ahead of attackers when the next open source vulnerability is found.
The PolKit package isn’t something that developers just decide to pull into an application they’re developing, rather it comes along for the ride any time the affected Linux distributions are being used as the operating system – it’s sort of a “package deal,” no pun intended. Considering the widespread use of Linux, this introduces a unique risk, especially to organizations developing IoT devices, embedded systems, and virtual machine templates. To evaluate and solve this unique risk, Synopsys’ Black Duck software composition analysis (SCA) provides users with signature and binary analysis, so they can analyze firmware, determine if the vulnerable Linux distributions are included, and be armed with a complete list of any additional components included in their firmware and VMs.
Armed with your comprehensive SBOM, Black Duck Security Advisories (BDSAs) provide an added layer of protection, with same-day notification of newly reported vulnerabilities. In the case of PolKit, Black Duck customers are busy working on remediation, while at the time of this blog, NVD data remains a gap.
Originally posted on January 26, 2022, updated on January, 27, 2022.