This report is a collaboration between Medigate Research Labs & Claroty Team 82. Together, we are committed to advancing the state of device security.

A trivially exploitable vulnerability has been disclosed in Polkit, a component installed by default on many Linux distributions. Successful exploits of this vulnerability would grant an attacker full root privileges on the host. Most devices in the Extended Internet of Things (XIoT) are likely affected. 

Medigate Research Labs & Claroty Team 82 are tracking this announcement and are working to report on affected devices in our respective platforms.

Here’s what you need to know:

What is PwnKit? 

The vulnerability, which Qualys has named PwnKit (CVE-2021-4034) has been in Polkit—once known as PolicyKit—for more than a decade. Polkit manages system-wide privileges on Linux operating systems and oversees how non-privileged processes communicate with privileged ones. 

This memory-corruption issue likely impacts most devices in the XIoT, including industrial OT, enterprise IoT, and medical IoT equipment.  PwnKit is a local privilege escalation vulnerability, meaning that an attacker would already need to have access to a vulnerable host in order to exploit the vulnerability. 

Patches, Mitigations Available

Users who manage any Linux devices should determine their exposure and patch immediately. Qualys said it sent patches to affected distributions on Jan. 11; If a patch is not yet available for a particular Linux distribution, Qualys suggests as a mitigation that users remove the SUID-bit from Polkit’s pkexec function. 

Which Distributions are Affected?

In its advisory, Qualys said it was able to trigger the vulnerability in Polkit’s pkexec function and gain root access on default installations of Ubuntu, Debian, Fedora, and CentOS. It’s likely that other distributions are vulnerable, and exploitable. 

Team82 has confirmed it was able to trigger the vulnerability, see the video below. 

Have There Been Public Attacks?

Qualys said it is unaware of public exploits. Qualys did not publish its proof-of-concept exploit because of the ease of exploitation involved with attacking this vulnerability. Others, however, have already reverse-engineered the bug and published PoCs online, indicating that more malicious exploits may not be far behind. 

Evidence of Exploitation

Users can find artifacts of exploits in logs, but Qualys cautions that the vulnerability may be quietly exploited as well. 

“This exploitation technique leaves traces in the logs (either “The value for the SHELL variable was not found in the /etc/shells file” or “The value for environment variable […] contains suspicious content”),” Qualys said in its advisory. “However, please note that this vulnerability is also exploitable without leaving any traces in the logs.”

Beating the Drum on SBOMs

The disclosure of PwnKit is going to further inflame discussions about the security of open source software. Recently, the White House gathered tech leaders to discuss the issue in the context of the Log4j vulnerability in Apache. Log4j is a logging framework native to Apache that was ubiquitous across IT and operational technology environments. Multiple vulnerabilities and exploits surfaced post-disclosure, and the Biden administration expressed concern over the use of open source components in software used in critical infrastructure. 

The issue when vulnerabilities such as PwnKit and Log4j arise is that users may be blind to these components running inside commercial or homegrown applications, so they may not understand their exposure when critical vulnerabilities are disclosed. 

The Biden administration, in an Executive Order signed in May of last year, mandated that the federal government take steps to beef up the security of the software supply chain. The executive order was in reaction to the SolarWinds compromise of late 2020, which demonstrated the fragility of the supply chain and reinforced the need for secure software development practices and oversight of products used by the federal government and within critical infrastructure. 

One critical component of the executive order was the need for a software bill of materials (SBOM) to be made available for each product used by the federal government. SBOMs describe the software components used in the development of a commercial product. 

The availability of such a list would remove the mystery as to whether components such as Polkit, Log4j and others are running under the covers. Asset owners and IT administrators responsible for vulnerability management would immediately understand their exposure and be able to prioritize patching and other mitigations.