A trivially exploitable vulnerability has been disclosed in Polkit, a component installed by default on many Linux distributions. Successful exploits of this vulnerability would grant an attacker full root privileges on the host. Most devices in the Extended Internet of Things (XIoT) are likely affected.
The vulnerability, which Qualys has named PwnKit (CVE-2021-4034) has been in Polkit—once known as PolicyKit—for more than a decade. Polkit manages system-wide privileges on Linux operating systems and oversees how non-privileged processes communicate with privileged ones.
This memory-corruption issue likely impacts most devices in the XIoT, including industrial OT, enterprise IoT, and medical IoT equipment. PwnKit is a local privilege escalation vulnerability, meaning that an attacker would already need to have access to a vulnerable host in order to exploit the vulnerability.
Users who manage any Linux devices should determine their exposure and patch immediately. Qualys said it sent patches to affected distributions on Jan. 11; If a patch is not yet available for a particular Linux distribution, Qualys suggests as a mitigation that users remove the SUID-bit from Polkit's pkexec function.
In its advisory, Qualys said it was able to trigger the vulnerability in Polkit's pkexec function and gain root access on default installations of Ubuntu, Debian, Fedora, and CentOS. It's likely that other distributions are vulnerable, and exploitable.
Team82 has confirmed it was able to trigger the vulnerability, see the video below.
Qualys said it is unaware of public exploits. Qualys did not publish its proof-of-concept exploit because of the ease of exploitation involved with attacking this vulnerability. Others, however, have already reverse-engineered the bug and published PoCs online, indicating that more malicious exploits may not be far behind.
Users can find artifacts of exploits in logs, but Qualys cautions that the vulnerability may be quietly exploited as well.
"This exploitation technique leaves traces in the logs (either "The value for the SHELL variable was not found in the /etc/shells file" or "The value for environment variable […] contains suspicious content")," Qualys said in its advisory. "However, please note that this vulnerability is also exploitable without leaving any traces in the logs."
The disclosure of PwnKit is going to further inflame discussions about the security of open source software. Recently, the White House gathered tech leaders to discuss the issue in the context of the Log4j vulnerability in Apache. Log4j is a logging framework native to Apache that was ubiquitous across IT and operational technology environments. Multiple vulnerabilities and exploits surfaced post-disclosure, and the Biden administration expressed concern over the use of open source components in software used in critical infrastructure.
The issue when vulnerabilities such as PwnKit and Log4j arise is that users may be blind to these components running inside commercial or homegrown applications, so they may not understand their exposure when critical vulnerabilities are disclosed.
The Biden administration, last year in an Executive Order signed in May of last year, mandated that the federal government take steps to beef up the security of the software supply chain. The EO was in reaction to the SolarWinds compromise of late 2020, which demonstrated the fragility of the supply chain and reinforced the need for secure software development practices and oversight of products used by the federal government and within critical infrastructure.
One critical component of the EO was the need for a software bill of materials (SBOM) to be made available for each product used by the federal government. SBOMs describe the software components used in the development of a commercial product.
The availability of such a list would remove the mystery as to whether components such as Polkit, Log4j and others are running under the covers. Asset owners and IT administrators responsible for vulnerability management would immediately understand their exposure and be able to prioritize patching and other mitigations.
CWE-120 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW'):
A denial-of-service vulnerability exists in the affected product. The vulnerability results in a buffer overflow, potentially causing denial-of-service condition.
Rockwell Automation has corrected these problems in firmware revision 4.020 and recommends users upgrade to the latest version available.
CVSS v3: 9.8
CWE-122 HEAP-BASED BUFFER OVERFLOW:
A denial-of-service and possible remote code execution vulnerability exists in the affected product. The vulnerability results in the corruption of the heap memory, which may compromise the integrity of the system, potentially allowing for remote code execution or a denial-of-service attack.
Rockwell Automation has corrected these problems in firmware revision 4.020 and recommends users upgrade to the latest version available.
CVSS v3: 9.8
CWE-420 UNPROTECTED ALTERNATE CHANNEL:
A device takeover vulnerability exists in the affected product. This vulnerability allows configuration of a new Policyholder user without any authentication via API. Policyholder user is the most privileged user that can perform edit operations, creating admin users and performing factory reset.
Rockwell Automation has corrected these problems in firmware revision 4.020 and recommends users upgrade to the latest version available.
CVSS v3: 9.8
CWE-191 INTEGER UNDERFLOW (WRAP OR WRAPAROUND):
The affected product is vulnerable to an integer underflow. An unauthenticated attacker could send a malformed HTTP Requesty, which could allow the attacker to crash the program.
Planet Technology recommends users upgrade to version 1.305b241111 or later.
CVSS v3: 5.3
CWE-78 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION'):
The affected product is vulnerable to a command injection. An unauthenticated attacker could send commands through a malicious HTTP request which could result in remote code execution.
Planet Technology recommends users upgrade to version 1.305b241111 or later.
CVSS v3: 9.8
