UPDATED: Linux PwnKit Vulnerability Gives Full Root Access on Most Major Distributions

New Linux PwnKit Vulnerability Gives Full Root Access

Update (1/26/2022): The Automox team has created a Worklet so that teams can automate evaluation and remediation of the workaround, if they so choose. You can copy/paste the evaluation and remediation code into their respective places in a Worklet - see “Automox PwnKit Worklet for Temporary Remediation” for more details.


A new vulnerability present in nearly every popular Linux distribution has been publicly disclosed. CVE-2021-4034 – dubbed “PwnKit” – is a memory corruption vulnerability in Polkit’s pkexec that allows any unprivileged local user to gain full root access when exploited successfully.

Pkexec is present by default in nearly all Linux distributions including Ubuntu, Debian, Fedora, and CentOS. There are likely many more distributions affected, though this list is what has been confirmed so far. Qualys also notes that the vulnerability has been exposed on many systems since 2009.

Details of the vulnerability have been released publicly, so you can expect exploits to become public in the coming days. Something to note here is that this vulnerability does require local access to the system and can be used as a secondary persistence mechanism after access is obtained elsewhere.

Patches are already being released for distributions, which is our recommended remediation. If you have a patch-all policy scheduled in Automox for the following distributions, your systems should patch automatically:

  • RHEL 6+

  • Suse Linux Enterprise Server (SLES) 12+

  • CentOS 6+

  • Fedora 28+

  • Debian 8+

  • Ubuntu 16.04+ LTS

  • Amazon Linux 1+

  • AlmaLinux 8.3+

  • Oracle Linux 8.0+

If you’re unable to patch immediately, you can update the permissions pkexec has by default. If you do go this route, you will render pkexec effectively useless, so be sure to take that into consideration before going this route.

To remediate without a patch, you can remove the SUID-bit pkexec has using chmod: chmod 0755 /usr/bin/pkexec. When you are able to update your systems, this file will be replaced and read/write permissions will be reverted back to their defaults.

Note that the evaluation script simply passes to remediation, which will disable pkexec's ability to operate as intended. Again, please thoroughly test before applying to systems in production.


Automox PwnKit Worklet for Temporary Remediation

Note that the evaluation script simply passes to remediation, which will disable pkexec's ability to operate as intended. Again, please thoroughly test before applying to systems in production.

Evaluation Script

#!/bin/bash
#================================================================
# HEADER
#================================================================
#% SYNOPSIS
#+    This is a very simple workaround for CVE-2021-4034.
#%    WARNING: This fix will disable pkexec's ability to
#%    operate as intended.  This workaround should be thoroughly
#%    tested before being applied to systems in production.
#% DESCRIPTION
#%    This is a very simple workaround for CVE-2021-4034.  The
#%    workaround removes the setuid value from pkexec until
#%    it can be properly patched.  Updating the file to a patched
#%    version should reset the permissions and restore the setuid
#%    flag.
#% USAGE
#%    ./evaluation.sh
#%
#% EXAMPLES
#%  ./evaluation.sh
#%
#================================================================
#- IMPLEMENTATION
#-    version         WF-597-pkexec_temporary_fix (www.automox.com) 1.0
#-    author          Michael King
#-
#================================================================
#  HISTORY
#     01/26/2022 : Michael King : Script creation
#     ##/##/#### : ####: Validated and catalogued
#
#================================================================
# END_OF_HEADER
#================================================================
exit 1

Remediation Script

!/bin/bash
#================================================================
# HEADER
#================================================================
#% SYNOPSIS
#+    This is a very simple workaround for CVE-2021-4034.
#%    WARNING: This fix will disable pkexec's ability to
#%    operate as intended.  This workaround should be thoroughly
#%    tested before being applied to systems in production.
#% DESCRIPTION
#%    This is a very simple workaround for CVE-2021-4034.  The
#%    workaround removes the setuid value from pkexec until
#%    it can be properly patched.  Updating the file to a patched
#%    version should reset the permissions and restore the setuid
#%    flag.
#% USAGE
#%    ./remediation.sh
#%
#% EXAMPLES
#%  ./remediation.sh
#%
#================================================================
#- IMPLEMENTATION
#-    version        WF-597-pkexec_temporary_fix (www.automox.com) 1.0
#-    author         Michael King
#-
#================================================================
#  HISTORY
#     01/26/2022 : Michael King : Script creation
#     ##/##/#### : ####: Validated and catalogued
#
#================================================================
# END_OF_HEADER
#================================================================
# /usr/bin is the default location for pkexec.  If your dstro is
# using a different location update this on the line below.
location=/usr/bin
# The permissions to be set.  0755 will remove the escalated
# permissions(setuid) of pkexec.  The default permission is 4755,
# so use that value to revert if problems occur.
permission=0755
if chmod $permission $location/pkexec 2>&1; then
echo "Successfully set permission!" 2>&1
else
echo "Unsuccessful at setting permission." 2>&1
fi

Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.

Demo Automox and join thousands of companies transforming IT operations into a strategic business driver.