After revelations of the Log4j vulnerability last year, the infosec community has been rocked again with a security meltdown covering all major Linux systems. California-based cloud security provider Qualys discovered a vulnerability in pkexec, a part of Polkit’s SUID-root program.
Polkit (formerly Policykit) is ubiquitous to Linux and controls system-wide privileges in an operating system.
Qualys has already warned Linux-run companies: “This vulnerability is an attacker’s dream come true.”
The security flaw is highly exploitable and allows potential unprivileged guest users to manipulate root privileges, especially if the host is vulnerable and unsecured. That way, attackers can easily target any Linux-based cloud server to wreak havoc.
The vulnerability has already scored 7.8 on RedHat’s Common Vulnerability Scoring System (CVSS) and has a ”high” availability impact, among other parameters.
This isn’t the first time security providers have identified a Polkit bug. Last June, GitHub researcher Kevin Backhouse discovered a seven-year-old polkit bug affecting major system utilities.
Pkexec is a part of Polkit and responsible for communication between privileged and non-privileged processes. Moreover, attackers can introduce unverified environment variables through the bugged pkexec code. The command is already notorious among developers as a sudo command, with most Debian developers calling it “the sudo of systemd”.
Interestingly, it has been a part of the Linux distribution system for over 12 years and is going to be a top priority for major security providers from now.
Qualys has already identified Ubuntu, Debian, Fedora and CentOS as most vulnerable to the exploit. However, the list isn’t exhaustible, and the team has hinted at more investigations.
Although the exploit is only a memory corruption, it can be attacked instantly without depending upon the Linux kernel in any way. Even when the polkit daemon is turned off or not running, the attack can happen.
Linux is already applauded in the infosec circle for its tight security and high reliability. Most public cloud companies, including IBM, Oracle and Google, deploy Linux to run servers. However, the vulnerability can change the game here, especially amidst the rise of state-sponsored cyberattacks.
The Qualys team has released an advisory note asking users to obtain patches from Linux distributors. As an alternative, developers can also think about removing the SUID-bit from pkexec. In case the systems are already attacked, it’s better to trace logs and watch out for ‘The value for the SHELL variable was not found in the /etc/shells file’ or ‘The value for […] variable contains suspicious content’.
Pkexec is an open source vulnerability that can target even proprietary software and requires multiple testing from manufacturers afterward. Actors are betting on a delayed response by these manufacturers or users in updating their devices to launch an attack.
Private sector stakeholders should think about creating a dialogue channel with federal officials to prepare better mitigation strategies and prevent further software vulnerabilities.
