Checking for Vulnerable Systems for CVE-2021-4034 with PwnKit-Hunter
What is PwnKit Vulnerability CVE-2021-4034?
On January 25th, 2022, a critical vulnerability in polkit’s pkexec was publicly disclosed (link). The Qualys research team named this vulnerability “PwnKit”. The polkit package is meant for handling policies that allow unprivileged processes to communicate with privileged processes on Linux systems. Pkexec is part of polkit and handles the execution of commands by different user contexts following the polkit-defined policies. Vulnerable machines are installations of Ubuntu, Debian, Fedora, CentOS and more.
Why is it a dangerous vulnerability?
By exploiting this vulnerability, attackers on a vulnerable host could easily gain full root privileges from any unprivileged user.
The vulnerability has been widely discussed, and we believe malicious actors could start using it on vulnerable machines.
A POC of exploitation was also published publicly on GitHub:
https://github.com/arthepsy/CVE-2021-4034
Therefore, organizations and their security teams are advised to check their entire Linux-based machines and make sure they aren’t vulnerable.
What is “PwnKit-Hunter” and how it can help me?
PwnKit-Hunter is a set of tools that will help determine if your system’s polkit package is vulnerable to CVE-2021-4043, a.k.a. PwnKit.
The link for the “PwnKit-Hunter” detection scripts can be found here:
https://github.com/cyberark/PwnKit-Hunter
The tools are:
CVE-2021-4034_Finder.py:
This script uses your apt cache to find the current installed version of polkit and compare it to the patched version according to your distribution.
PwnKit-Patch-Finder.c:
The patch of Debian and Ubuntu to CVE-2021-4043 contained new exit() line that occurs only if the policykit-1 package is patched. This code will try to trigger this exit(), and will search for the appropriate code. In case pkexec exited with different code, the package needs to be updated.
DISCLAIMER: This script is only working on Debian and Ubuntu variants, as other distros patched the code in a different way.
How to run “PwnKit-Hunter”
CVE-2021-4034_Finder.py:
git clone https://github.com/cyberark/PwnKit-Hunter.git cd PwnKit-Hunter ./CVE-2021-4034_Finder.py
PwnKit-Patch-Finder.c:
git clone https://github.com/cyberark/PwnKit-Hunter.git cd PwnKit-Hunter gcc PwnKit-Patch-Finder.c -o PwnKit-Patch-Finder ./PwnKit-Patch-Finder
What is the mitigation?
The recommended fix is to update your systems according to the security advisories of your Linux distribution type.
RadHat: https://access.redhat.com/security/vulnerabilities/RHSB-2022-001
Ubuntu: https://ubuntu.com/security/notices/USN-5252-1
Debian: https://security-tracker.debian.org/tracker/CVE-2021-4034
NIST Advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-4034
In order to mitigate it without updating, remove the setuid permission from pkexec:
chmod 0755 $(which pkexec)
To help ensure that the fix was fully deployed, CyberArk Labs developed simple scripts to detect and check if a scanned host is vulnerable or not.
The “PwnKit-Hunter” script is in the following GitHub repository: