Update (1/26/2022): The Automox team has created a Worklet so that teams can automate evaluation and remediation of the workaround, if they so choose. You can copy/paste the evaluation and remediation code into their respective places in a Worklet - see “Automox PwnKit Worklet for Temporary Remediation” for more details.
A new vulnerability present in nearly every popular Linux distribution has been publicly disclosed. CVE-2021-4034 – dubbed “PwnKit” – is a memory corruption vulnerability in Polkit’s pkexec that allows any unprivileged local user to gain full root access when exploited successfully.
Pkexec is present by default in nearly all Linux distributions including Ubuntu, Debian, Fedora, and CentOS. There are likely many more distributions affected, though this list is what has been confirmed so far. Qualys also notes that the vulnerability has been exposed on many systems since 2009.
Details of the vulnerability have been released publicly, so you can expect exploits to become public in the coming days. Something to note here is that this vulnerability does require local access to the system and can be used as a secondary persistence mechanism after access is obtained elsewhere.
Patches are already being released for distributions, which is our recommended remediation. If you have a patch-all policy scheduled in Automox for the following distributions, your systems should patch automatically:
RHEL 6+
Suse Linux Enterprise Server (SLES) 12+
CentOS 6+
Fedora 28+
Debian 8+
Ubuntu 16.04+ LTS
Amazon Linux 1+
AlmaLinux 8.3+
Oracle Linux 8.0+
If you’re unable to patch immediately, you can update the permissions pkexec has by default. If you do go this route, you will render pkexec effectively useless, so be sure to take that into consideration before going this route.
To remediate without a patch, you can remove the SUID-bit pkexec has using chmod: chmod 0755 /usr/bin/pkexec. When you are able to update your systems, this file will be replaced and read/write permissions will be reverted back to their defaults.
Note that the evaluation script simply passes to remediation, which will disable pkexec's ability to operate as intended. Again, please thoroughly test before applying to systems in production.
Automox PwnKit Worklet for Temporary Remediation
Note that the evaluation script simply passes to remediation, which will disable pkexec's ability to operate as intended. Again, please thoroughly test before applying to systems in production.
Evaluation Script
#!/bin/bash#================================================================# HEADER#================================================================#% SYNOPSIS#+ This is a very simple workaround for CVE-2021-4034.#% WARNING: This fix will disable pkexec's ability to#% operate as intended. This workaround should be thoroughly#% tested before being applied to systems in production.#% DESCRIPTION#% This is a very simple workaround for CVE-2021-4034. The#% workaround removes the setuid value from pkexec until#% it can be properly patched. Updating the file to a patched#% version should reset the permissions and restore the setuid#% flag.#% USAGE#% ./evaluation.sh#%#% EXAMPLES#% ./evaluation.sh#%#================================================================#- IMPLEMENTATION#- version WF-597-pkexec_temporary_fix (www.automox.com) 1.0#- author Michael King#-#================================================================# HISTORY# 01/26/2022 : Michael King : Script creation# ##/##/#### : ####: Validated and catalogued##================================================================# END_OF_HEADER#================================================================exit 1Remediation Script
!/bin/bash#================================================================# HEADER#================================================================#% SYNOPSIS#+ This is a very simple workaround for CVE-2021-4034.#% WARNING: This fix will disable pkexec's ability to#% operate as intended. This workaround should be thoroughly#% tested before being applied to systems in production.#% DESCRIPTION#% This is a very simple workaround for CVE-2021-4034. The#% workaround removes the setuid value from pkexec until#% it can be properly patched. Updating the file to a patched#% version should reset the permissions and restore the setuid#% flag.#% USAGE#% ./remediation.sh#%#% EXAMPLES#% ./remediation.sh#%#================================================================#- IMPLEMENTATION#- version WF-597-pkexec_temporary_fix (www.automox.com) 1.0#- author Michael King#-#================================================================# HISTORY# 01/26/2022 : Michael King : Script creation# ##/##/#### : ####: Validated and catalogued##================================================================# END_OF_HEADER#================================================================# /usr/bin is the default location for pkexec. If your dstro is# using a different location update this on the line below.location=/usr/bin# The permissions to be set. 0755 will remove the escalated# permissions(setuid) of pkexec. The default permission is 4755,# so use that value to revert if problems occur.permission=0755if chmod $permission $location/pkexec 2>&1; thenecho "Successfully set permission!" 2>&1elseecho "Unsuccessful at setting permission." 2>&1fiAutomox for Easy IT Operations
Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.
Demo Automox and join thousands of companies transforming IT operations into a strategic business driver.
