Detect CVE-2021-4034: A Notorious PwnKit Vulnerability Affecting All Major Linux Distros

What goes on in the dark must come out in the light. Security experts have revealed an especially dangerous 12-year-old bug affecting nearly all Linux hosts. The flaw enables full root access on literally any Linux machine for a local, unprivileged threat actor if successfully exploited.

CVE-2021-4034 (PwnKit) Description

While the cyber domain is still recovering from the log4j disaster, now security professionals have yet another security issue of similar scope and scale to confront. The bug, tracked as CVE-2021-4034, was introduced with the very first commit of Polkit’s pkexec function in 2009, affecting all existing Polkit versions.

Polkit (formerly PolicyKit) is a native element of Unix-like operating systems utilized to define and handle authorizations. As a part of this open source app framework, pkexec function provides the ability to launch commands with the highest privileges. Consequently, the PwnKit memory corruption issue offers adversaries the ability to gain root rights on systems leveraging default Polkit configs. Although there is no option for remote exploitation, any local users can instantly exploit CVE-2021-4034, says the analysis by Qualys. 

CentOS, Debian, Fedora, and Ubuntu were confirmed to be exposed. Other Linux operating systems are expected to be impacted as well.

PwnKit Exploit

During their investigation, the Qualys’ experts have come up with a working PoC exploit for CVE-2021-4034. However, since the exploitation routine is effortless, security experts decided not to publicly release the PoC for PwnKit.

Yet, nothing stays buried forever. Just a couple of hours after Qualys report went live, an avalanche of PoC broke forth. According to media outlets, these exploits are fully-functional and reliable. Furthermore, CERT/CC analyst Will Dormann refers to the exploits as both simple and universal, again proving that we should promptly expect massive exploitation in the wild.

CVE-2021-4034 (PwnKit) Detection and Mitigation

Qualys experts reported the nasty bug in mid-November 2021, and a patch for it was issued in January 2022. Users are urged to upgrade their installations ASAP due to the criticality of the security hole and a straightforward exploitation routine.

The patch by Polkit maintainers has already been placed on GitLab. Also, as Linux distros accessed it in advance, Ubuntu and Red Hat updates have already gone public to enhance the protections from the PwnKit flaw.

To identify possible exploitation attempts and protect your company infrastructure from PwnKit attacks, opt for downloading a set of curated Sigma rules by the SOC Prime Team. The detections below identify the abnormal behavior related to the PwnKit exploitation and are available for free in the SOC Prime Detection as Code platform:

Possible Local Privilege Escalation Vulnerability Exploitation in Polkit [CVE-2021-4034] (via keywords)

Possible Local Privilege Escalation Vulnerability Exploitation in Polkit [CVE-2021-4034] (via file_event)

Possible Local Privilege Escalation Vulnerability Exploitation in Polkit [CVE-2021-4034] (via cmdline)

The dynamically-updated list of detection rules for CVE-2021-4034 (PwnKit) is available by this link.

Join SOC Prime’s Detection as Code platform for free to search for the latest threats in your SIEM or XDR environment, improve your threat coverage by reaching the most relevant content aligned with the MITRE ATT&CK matrix, and overall, boost the organization’s cyber defense capabilities. Are you a content author? Tap into the power of the world’s largest cyber defense community by joining the SOC Prime Threat Bounty program, where researchers can monetize their own detection content.

Go to Platform Join Threat Bounty