Rare Warning for Linux Malware Issued
We all know that Linux isn’t immune from malware, just naturally much more resistant to it. If you believed in the myth, then this warning from Cybersecurity researchers at Qualys should put a stop to that.
The vulnerability is located in Polkit’s pcexec component that’s included with most distros, and has apparently been there for around 12 years.
Polkit (formerly PolicyKit), is used to control system privileges within Linux and acts as a communications bridge between privileged and non-privileged processes. It has been a fundamental part of Linux since 2009 or so.
Arguably, any vulnerability that has been around for that long without being noticed isn’t a particularly high risk, but this is Linux, so things needed to change.
The vulnerability is tracked as CVE-2021-4034, and has since been addressed. If you’re running Linux, make sure your distro is updated.
The Risk
The vulnerability allows root privileges to anyone who can get into a system. As long as the system has a default setup, a bad actor can get in, root around, and leave no trace.
According to the NIST security advisory
“The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands,"
“An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.”
There are examples of this exploit being used in the wild in addition to proof-of-concepts around various places online.
The Mitigation
Once discovered, the Polkit developers released a patch that secures the system. You may find it in your distro update, otherwise you can download it from GitLab. Afterwards, your system will no longer be vulnerable to this particular attack.
The Cybersecurity and Infrastructure Agency (CISA) did say there is evidence of this vulnerability being exploited, but wouldn’t elaborate on who, where, and when.
For now, the best course of action is to ensure all Linux distros are updated to make them more secure.