On January 25, 2022, the Qualys Research Team released a report on the discovery of CVE-2021-4034. This CVE is a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. This vulnerability allows a threat actor with prior access to a vulnerable Linux system to escalate their privileges from any user to full root.
The exploitation of CVE-2021-4034 requires local authenticated access to the vulnerable machine and can’t be run remotely without such authentication. The most likely attack scenario is from an internal threat where a malicious user can escalate from no privileges to full root privileges.
An external attack scenario would be from an attacker who already had local authenticated access to the vulnerable system either from another vulnerability or password spraying style attack. Once local authenticated access is achieved, the external attacker could then escalate to full root privileges through this vulnerability.
Proof of Concept (PoC) exploit code has been made publicly available for CVE-2021-4034 and security researchers have tested and confirmed the validity of this exploit.
Arctic Wolf is actively monitoring intelligence sources for any campaigns linked to the active exploitation of CVE-2021-4034 on Linux systems. We are monitoring for the most relevant indicators of compromise and TTPs associated with this vulnerability and any positive matches on this exploit activity will be escalated directly to customers as incidents.
We strongly advise customers to review the recommendations below for how to best remediate CVE-2021-4034.
Recommendations for CVE-2021-4034
This section provides details on the recommendations that Arctic Wolf suggests to remediate affected Linux Distributions.
Due to the widespread nature of CVE-2021-4034, with polkit being installed by default on all Linux distributions since 2009, Arctic Wolf Labs recommends patching Linux systems in your environment to the latest patches provided by Distribution vendors when feasible for your organization.
Recommendation #1: Patch Affected Linux Distributions
Almost all Linux distributions have the affected version of polkit installed by default since 2009. On January 25th 2022, most major Linux distributors have released patches for their distributions to patch vulnerable versions of polkit.
Arctic Wolf recommends identifying the type of Linux distributions you are running in your environment and prioritizing patching systems that are external facing or are considered high value. Visit the vendors website for further details on how to install the latest patches that they provide.
Recommendation #2: Closely Monitor Linux Distribution Security Advisories and Additional Information Regarding CVE-2021-4034
As this vulnerability impacts nearly all Linux distributions, we expect additional advisories and patches to be released within the near term by relevant Linux distributions. Monitor for respective distribution advisories for Linux distributions within your environment and follow their patch guidance to remediate CVE-2021-4034.