UPDATED 21:08 EST / JANUARY 26 2022

SECURITY

12-year-old vulnerability in Linux gives attackers root privileges

A newly discovered 12-year-old vulnerability in a Linux system tool can give attackers root privileges on machines running the operating system.

Discovered and described Tuesday by researchers at Qualys Inc., the vulnerability, dubbed “PwnKit,” is found in the Polkit system tool. Polkit, previously known as PolicyKit, is a component for controlling systemwide privileges in Unixlike operating systems and provides an organized way for a nonprivileged process to communicate with privileged ones.

The vulnerability is found in Polkit’s pkexec, a SUID-root program installed by default on every major Linux distribution. Successful exploitation of the vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.

The Qualys researchers were able to independently verify the vulnerability, develop an exploit and obtain full root privileges on default installs of Ubuntu, Debian, Fedora and CentOS. They warn that it’s likely exploitable on other Linux distributions as well.

The researchers sent details of the vulnerability to Red Hat in November with an advisory and patch sent to distros@openwall in earlier this month. A coordinated release date for the patch and details was set for Jan. 25.

The researchers noted that given the attack surface of the vulnerability in both Linux and non-Linux OS, users should apply patches for this vulnerability immediately. The need to do so is even more urgent, with Bleeping Computer reporting that an exploit already emerged in public some hours after Qualys first published the details.

“These types of vulnerabilities that have been lurking in networks for more than a decade can create real problems for security teams,” Greg Fitzgerald, co-founder of cloud-native security asset management platform company Sevco Security Inc., told SiliconANGLE. “Pkexec is installed by default on all major Linux distributions, making it ubiquitous across many enterprises.”

Fitzgerald noted that the priority for organizations has to be patching Linux machines across the enterprise, but there are issues.

“That’s all well and good for the machines that IT and security teams know about, but there are not many companies with an accurate IT asset inventory that dates back more than a decade,” Fitzgerald explained. “The unfortunate reality is that many organizations that patch all of the machines they’re aware of will still be susceptible to this vulnerability because they do not have an accurate inventory of their IT assets.”

The problem, he added, is that “you can’t apply a patch to an asset you don’t know is on your network. Abandoned and unknown IT assets are often the path of least resistance for malicious actors trying to access your network or data.”

Image: Pixabay

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU