{"id":20642,"date":"2022-01-26T19:48:30","date_gmt":"2022-01-26T19:48:30","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=20642"},"modified":"2022-01-26T19:48:30","modified_gmt":"2022-01-26T19:48:30","slug":"pwnkit-linux-flaw-hits-all-distributions","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/threats\/pwnkit-linux-flaw-hits-all-distributions\/","title":{"rendered":"Easily Exploitable Linux Flaw Exposes All Distributions: Qualys"},"content":{"rendered":"

An easily exploited flaw in a program found in every major Linux distribution is the latest serious security issue that has arisen in the open-source<\/a> space in recent weeks.<\/p>\n

Researchers at cybersecurity vendor Qualys this week disclosed the memory corruption vulnerability in polkit\u2019s pkexec, which if exploited by a bad actor can enable an unprivileged user to gain full root privileges on a system, giving the unprivileged user administrative rights.<\/p>\n

The vulnerability, tracked as CVE-2021-4034<\/a>, has \u201cbeen hiding in plain sight\u201d for more than 12 years and infects all versions of polkit\u2019s pkexec since it was first developed in 2009, Bharat Jogi, director of vulnerability and threat research at Qualys, wrote in a blog post<\/a>.<\/p>\n

Polkit\u2019s (formerly PolicyKit) pkexec is a component used to control system-wide privileges in Unix-like operating systems, enabling non-privileged processes to communicate with privileged processes<\/a> in an organized fashion. It also can be used to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed with root permission.<\/p>\n

The flaw can\u2019t be exploited remotely, but if an attacker can log in as any unprivileged user, the vulnerability can be quickly exploited, according to Qualys. Red Hat rated the severity of the flaw a 7.8 out of 10<\/a> on the CVSS scale.<\/p>\n

See also: Top Vulnerability Management Tools<\/a><\/p>\n

Every Linux Distribution is Vulnerable<\/strong><\/h2>\n

The pkexec component is widely used; it\u2019s installed as a default in every major Linux distribution and Qualys was able to verify the vulnerability, develop an exploit and gain full root privileges on installations of Ubuntu, Debian, Fedora and CenOS, Jogi wrote, adding that \u201cother Linux distributions are likely vulnerable and probably exploitable.\u201d<\/p>\n

He wrote that Qualys won\u2019t publish exploit code for the vulnerability \u2013 dubbed PwnKit \u2013 but said that \u201cgiven how easy it is to exploit the vulnerability, we anticipate public exploits to become available within a few days of this blog\u2019s post date.\u201d<\/p>\n

Vulnerabilities like PwnKit \u2013 which have been present for more than a decade and are ubiquitous in Linux distributions and, therefore, enterprises \u2013 pose a significant challenge for security teams, according to Greg Fitzgerald, co-founder and chief experience officer for cybersecurity firm Sevco Security. The priority for organizations should be to patch their Linux machines, but it\u2019s not an easy task.<\/p>\n

\u201cThat\u2019s all well and good for the machines that IT and security teams know about, but there are not many companies with an accurate IT asset inventory that dates back more than a decade,\u201d Fitzgerald told eSecurity Planet<\/em>. \u201cThe unfortunate reality is that many organizations that patch all of the machines they\u2019re aware of will still be susceptible to this vulnerability because they do not have an accurate inventory of their IT assets. You can\u2019t apply a patch to an asset you don\u2019t know is on your network. Abandoned and unknown IT assets are often the path of least resistance for malicious actors trying to access your network or data.\u201d<\/p>\n

\"cybersecurity
Qualys PwnKit detection<\/figcaption><\/figure>\n

See also: Top IT Asset Management Tools for Security<\/a><\/p>\n

Patching Open-Source Systems a Challenge<\/strong><\/h2>\n

Bud Broomhead, CEO of cybersecurity company VIakoo, told eSecurity Planet<\/em> that patching a flaw on open-source systems can be challenging for enterprises.<\/p>\n

‘a single open-source vulnerability can be present in multiple systems’<\/p><\/blockquote>\n

\u201cUnlike fully proprietary systems where a single manufacturer can issue a single patch to address a vulnerability, a single open-source vulnerability can be present in multiple systems \u2013 including proprietary ones \u2013 which then requires multiple manufacturers to separately develop, test and distribute a patch,\u201d Broomhead said. \u201cFor both the manufacturer and end user, this adds enormous time and complexity to implementing a security fix for a known vulnerability.\u201d<\/p>\n

Yaniv Bar-Dayan, co-founder and CEO of Vulcan Cyber, said that a vulnerability that gives root access on a Linux system is bad, but that \u201cfortunately, this vulnerability is a local exploit, which mitigates some risk.\u00a0Until patches are broadly available, SysAdmins can remove the SUID bit from pkexec \u2013 using:\u00a0# chmod 0755 \/usr\/bin\/pkexec\u00a0 — to temporarily mitigate the problem.\u201d<\/p>\n

Also read: Best Patch Management Software<\/a><\/p>\n

Flaw Found in November<\/strong><\/h2>\n

Qualys discovered the vulnerability in November 2021 and notified Red Hat. This week the announcement of PwnKit was made in coordination with Red Hat and other distributors.<\/p>\n

\u201cGiven the breadth of the attack surface for this vulnerability across both Linux and non-Linux OS, Qualys recommends that users apply patches for this vulnerability immediately,\u201d Jogi wrote. \u201cWe expect vendors to release patches for this vulnerability in the short term. Qualys Patch Management can be used to deploy those patches to vulnerable assets, when available.\u201d<\/p>\n

The PwnKit flaw comes in the wake of other recent disclosures about security issues involving open-source software. At the top of the list is the critical remote execution flaw in Log4j<\/a> \u2013 the flaw is dubbed Log4Shell \u2013 that was revealed in December and has been targeted by state-sponsored hacking groups looking to leverage the vulnerability to stage attacks.<\/p>\n

In the Wake of Log4j<\/strong><\/h2>\n

Like polkit\u2019s pkexec, Log4j \u2013 a Java logging tool \u2013 has broad enterprise use across data centers and cloud-based services that could be exposed to the\u00a0zero-day vulnerability<\/a>. Log4j is a free and widely distributed open-source tool from the Apache Software Foundation and the flaw affects versions 2.0 through 2.14.1. Log4Shell is tracked as CVE-2021-44228.<\/p>\n

In addition, a report released this month by CrowdStrike found that incidents of malware targeting Linux-based Internet of Things (IoT) devices<\/a> grew by more than a third year-to-year in 2021, with the primary goal being to compromise the devices, pull them into botnets and use them for distributed denial-of-service (DDoS)<\/a> attacks.<\/p>\n

\u201cWith various Linux builds and distributions at the heart of cloud infrastructures, mobile and IoT, it presents a massive opportunity for threat actors,\u201d a CrowdStrike researcher wrote in a blog post.<\/p>\n

Open Source in the Crosshairs<\/strong><\/h2>\n

\u201cThreat actors find open-source systems extremely attractive,\u201d Viakoo\u2019s Broomhead said. \u201cVulnerabilities that exploit open-source systems \u2013 like the recent Log4j vulnerability \u2013 require patches and updates to be developed by multiple device or system manufacturers, and threat actors are betting on some manufacturers being slow in releasing fixes and some end users being slow in updating their devices.\u201d<\/p>\n

He said what enterprises need is a software bill of materials<\/a> to make finding vulnerable systems easier, automated deployment of security fixes and extending the zero-trust architecture<\/a> to IoT and operational technology (OT) systems, which \u201ccan add additional security to prevent vulnerabilities from being exploited.\u201d<\/p>\n

Vulcan Cyber\u2019s Bar-Dayan said the \u201copen-source software model is a two-edged blade.\u00a0On one side, everyone can look at the code and audit it to identify and patch vulnerabilities.\u00a0On the other side, threat actors can look at the code and find subtle issues that everyone else has missed.\u00a0The advantages of this model have historically outweighed the disadvantages, with many eyes on the code and patches frequently appearing very rapidly after a vulnerability comes to light.\u201d<\/p>\n

Improved auditing will help catch and correct vulnerabilities before they are used in the wild, and improved integration with vulnerability and patch management tools will make OSS-based systems even more secure and easy to maintain, he said.<\/p>\n

Also read:<\/p>\n

13 Best Vulnerability Scanner Tools<\/a><\/p>\n

Top Open Source Security Tools<\/a><\/p>\n\n\n

\n \n\n \n\n
\n \n <\/path>\n <\/svg>\n <\/div>\n \n
\n
\n

\n Get the Free Cybersecurity Newsletter <\/h3>\n \n \n

\n Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday <\/p>\n <\/div>\n\n

\n
\n \n Email Address\n <\/label>\n \n <\/div>\n\n
\n
\n \n \n By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time. <\/label>\n <\/div>\n <\/div>\n \n