ALERT: Apply patches to Linux systems with policykit package

Wednesday, January 26, 2022

This message was sent to U-M IT groups on January 26, 2022. It is intended for U-M IT staff who are responsible for university servers running Linux systems with Polkit's pkexec component installed.

Summary

A vulnerability in Polkit's pkexec component is present in the default configuration of all major Linux distributions and can be exploited to gain full root privileges on the system. Apply appropriate patches to vulnerable systems immediately after appropriate testing.

Problem

Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. The pkexec program could be used by local attackers to increase privileges to root on default installations of Ubuntu, Debian, Fedora, and CentOS.

Affected Systems

All Linux systems with the policykit package installed:

  • Ubuntu versions 14.04, 16.04, 18.04, 20.04, 21.10
  • Debian Distributions
  • Fedora Distributions
  • CentOS Distributions
  • Red Hat Enterprise Linux 6 Extended Lifecycle Support
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 7.3 Advanced Update Support
  • Red Hat Enterprise Linux 7.4 Advanced Update Support
  • Red Hat Enterprise Linux 7.6 Advanced Update Support
  • Red Hat Enterprise Linux 7.6 Telco Extended Update Support
  • Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  • Red Hat Enterprise Linux 7.7 Advanced Update Support
  • Red Hat Enterprise Linux 7.7 Telco Extended Update Support
  • Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions
  • Red Hat Enterprise Linux 8.2 Extended Update Support
  • Red Hat Enterprise Linux 8.4 Extended Update Support

Action Items

The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21). Immediately apply mitigations to any systems that allow remote access without requiring Duo or other two-factor authentication, including login servers and web servers. Otherwise, apply appropriate patches to vulnerable systems immediately after appropriate testing. See the following for update instructions:

If a patch is not available for your distribution of Linux or if you are unable to immediately apply patches, you can remove the SUID-bit from pkexec as a temporary mitigation: chmod 0755 /usr/bin/pkexec

Threats

This vulnerability is extremely easy to exploit and exploitation code has been released to the public.

Technical Details

The current version of pkexec doesn't handle the calling parameters count correctly and ends up trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way to induce pkexec to execute arbitrary code as root.

Detection

For Red Hat systems, a vulnerability detection script can determine if your system is currently vulnerable to this flaw. To download the detection script, see Diagnose: RHSB-2022-001 Polkit Privilege Escalation - (CVE-2021-4034).

How We Protect U-M

  • ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

  • IA works closely with others in Information Technology Services (ITS) and U-M units to ensure timely patching of systems.

  • IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.

  • IA provides vulnerability management guidance to the university.

Information for Users

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.