CVE-2021-4034 Temporary Workaround for Pkexec

What the PwnKit mitigation Worklet does

This Automox Worklet™ mitigates CVE-2021-4034, the PwnKit local privilege escalation flaw in the polkit pkexec helper, on every Linux endpoint under Automox management. The Worklet rewrites the file mode on /usr/bin/pkexec from 4755 to 0755, which strips the setuid root bit and breaks the exploit primitive that PwnKit relies on. The remediation is a single chmod call and runs in well under a second per endpoint.

PwnKit is exploited end-to-end without crafted shellcode. Any unprivileged local user can invoke pkexec with a controlled argv and environment to trigger an out-of-bounds read in main() that loads attacker-controlled GCONV_PATH, executes a shared object as root, and returns a root shell. Removing the setuid bit means the binary still exists on disk and still answers to pkexec --version, but the kernel no longer elevates to UID 0 on exec. The exploit path collapses at that point.

Use this Worklet as containment, not as a permanent fix. The intended end state is a patched polkit package from your distribution's update channel (polkit ≥ 0.120-2 on Debian/Ubuntu, polkit ≥ 0.115-0.17 on RHEL/CentOS streams, equivalent backports on Fedora, SUSE, and Amazon Linux). After the patched package installs, reinstalling polkit or running chmod 4755 /usr/bin/pkexec restores normal pkexec functionality.

Why mitigate PwnKit at fleet scale

CVE-2021-4034 sits in pkexec code that has been present since polkit 0.113 in May 2009, so the exposure window on a long-running Linux fleet is roughly a decade of installs. Qualys published a working exploit alongside the disclosure on January 25, 2022, and proof-of-concept code in C, Python, and Go reached public repositories within hours. The bug is local, but every credentialed foothold on a Linux host – a stolen SSH key, a phished sudo password, a compromised CI runner, a forgotten developer login – becomes a path to root the moment PwnKit lands on the endpoint. The CVSS 3.1 score is 7.8 and CISA added the flaw to the Known Exploited Vulnerabilities catalog in June 2022, which puts federal civilian agencies on a binding remediation timeline.

The chmod 0755 workaround has been documented since Qualys published the original advisory, but the bottleneck on most Linux fleets is reaching every workstation, every container host, and every long-lived server before an attacker does. Applying the setuid removal through a single Automox policy run lands the fix on RHEL build hosts, Ubuntu developer workstations, and Debian-based CI runners in the same evaluation cycle, so a mixed Linux fleet can be hardened within one policy window while you stage the distribution-level polkit update through normal change control.

How the pkexec setuid removal works

1. Evaluation phase: The script exits 1 unconditionally, which signals non-compliance to the Automox agent and schedules remediation on every evaluation. This is deliberate – the workaround is intended as a one-shot containment action, and the evaluation logic mirrors that intent rather than re-checking the file mode bit on each cycle.

2. Remediation phase: The script sets two shell variables – location=/usr/bin and permission=0755 – and runs chmod 0755 /usr/bin/pkexec. On success it prints "Successfully set permission!" to stdout; on failure it prints "Unsuccessful at setting permission." so the failure surfaces in Automox activity logs. If a distribution stores pkexec outside /usr/bin (for example /usr/local/bin on some custom builds), edit the location variable in remediation.sh before scheduling the policy.

PwnKit mitigation requirements

• Linux endpoint running any distribution that ships polkit with a setuid pkexec binary (RHEL, CentOS, Rocky, Alma, Fedora, Debian, Ubuntu, SUSE, Amazon Linux 2 and 2023, Oracle Linux)

• pkexec installed at /usr/bin/pkexec by default; if your distribution uses a different path, update the location variable in remediation.sh

• Root or sudo privileges for the Automox agent (the default agent context already meets this requirement)

• Acceptance that pkexec-dependent workflows will fail until polkit is patched or the setuid bit is restored – test in a pilot ring before fleet-wide rollout

• A planned follow-up patch policy or Automox patching schedule that upgrades polkit through the distribution package manager once vendor fixes are available in your channel

Expected pkexec state after mitigation

After remediation, /usr/bin/pkexec has mode 0755 instead of 4755 and the leading file-type/permission string from ls reads -rwxr-xr-x rather than -rwsr-xr-x. The binary still exists and still parses arguments, so monitoring tools that probe for its presence will not flag the host as missing polkit. The kernel no longer elevates UID on exec, which is the exact condition that defeats CVE-2021-4034. Subsequent attempts to run pkexec as a non-root user fall back to whatever the caller's own UID can do – effectively nothing privileged.

Validation steps. Confirm the file mode with stat -c '%a %n' /usr/bin/pkexec, which should return 755 /usr/bin/pkexec. Cross-check the symbolic permissions with ls -la /usr/bin/pkexec and verify the setuid s is gone. Run pkexec whoami as an unprivileged user; the call should fail with a permission or authentication error rather than returning root. For a deeper check, try the public Qualys proof-of-concept against a contained test host: a patched or mitigated endpoint exits without spawning a shell.

Restoring normal pkexec after patching. Once the distribution-level polkit upgrade is staged through Automox patching or your package channel, the patched package will rewrite /usr/bin/pkexec and restore mode 4755 on its own. If a patched package is not yet available and you need pkexec back for an admin workflow, run chmod 4755 /usr/bin/pkexec manually or reinstall the polkit package with the distribution's package manager. Track which endpoints have received the patched polkit version so the temporary mitigation is not left in place indefinitely.