A newly discovered 12-year-old vulnerability in a Linux system tool can give attackers root privileges on machines running the operating system.

Discovered and described Tuesday by researchers at Qualys Inc., the vulnerability, dubbed “PwnKit,” is found in the Polkit system tool. Polkit, previously known as PolicyKit, is a component for controlling systemwide privileges in Unixlike operating systems and provides an organized way for a nonprivileged process to communicate with privileged ones.

The vulnerability is found in Polkit’s pkexec, a SUID-root program installed by default on every major Linux distribution. Successful exploitation of the vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.

The Qualys researchers were able to independently verify the vulnerability, develop an exploit and obtain full root privileges on default installs of Ubuntu, Debian, Fedora and CentOS. They warn that it’s likely exploitable on other Linux distributions as well.

The researchers sent details of the vulnerability to Red Hat in November with an advisory and patch sent to distros@openwall in earlier this month. A coordinated release date for the patch and details was set for Jan. 25.

The researchers noted that given the attack surface of the vulnerability in both Linux and non-Linux OS, users should apply patches for this vulnerability immediately. The need to do so is even more urgent, with Bleeping Computer reporting that an exploit already emerged in public some hours after Qualys first published the details.

“These types of vulnerabilities that have been lurking in networks for more than a decade can create real problems for security teams,” Greg Fitzgerald, co-founder of cloud-native security asset management platform company Sevco Security Inc., told SiliconANGLE. “Pkexec is installed by default on all major Linux distributions, making it ubiquitous across many enterprises.”

Fitzgerald noted that the priority for organizations has to be patching Linux machines across the enterprise, but there are issues.

“That’s all well and good for the machines that IT and security teams know about, but there are not many companies with an accurate IT asset inventory that dates back more than a decade,” Fitzgerald explained. “The unfortunate reality is that many organizations that patch all of the machines they’re aware of will still be susceptible to this vulnerability because they do not have an accurate inventory of their IT assets.”

The problem, he added, is that “you can’t apply a patch to an asset you don’t know is on your network. Abandoned and unknown IT assets are often the path of least resistance for malicious actors trying to access your network or data.”

Image: Pixabay