CISA issues warning on active exploitation of PwnKit Linux vulnerability
All US federal agencies that fall under the Federal Civilian Executive Branch are required to secure their systems against the bug by July 18
The US Cybersecurity and Infrastructure Security Agency (CISA) this week added a Linux security vulnerability called PwnKit to its Known Exploited Vulnerabilities (KEV) catalogue and warned that the flaw has been actively exploited in attacks.
The PwnKit bug, tracked as CVE-2021-4034, was discovered by Qualys researchers in January 2022.
The flaw exists in the pkexec component of the Polkit system utility which is used in all major Linux distributions, including Ubuntu, CentOS, Debian and Fedora.
Polkit, previously known as PolicyKit, is a systemd SUID-root program used to manage system-wide privileges in Unix-like operating systems. The tool makes it possible for non-privileged processes to communicate with privileged processes in an organised manner.
The researchers who uncovered this memory corruption bug said it had been hiding for more than 12 years, affecting all versions of pkexec since the first version in May 2009.
The vulnerability, if successfully exploited, might cause pkexec to run arbitrary code, which would provide an unprivileged attacker administrative privileges on the targeted system to compromise the host.
The vulnerability affects the products of a number of companies, including IBM, VMware, Juniper Networks, Moxa, and Siemens, who all have published warnings detailing the impact of CVE-2021-4034.
Experts have been warned that the risk of malicious exploitation of PwnKit is high, since proof-of-concept (PoC) exploits have been available and exploitation is not difficult.
Qualys recommended Linux administrators to quickly secure vulnerable systems by applying the fixes that were made available on Polkit's development team's GitLab repository.
It is not immediately clear how the security flaw is being weaponised in attacks, nor is there any information on the identity of the threat actor that could be using this weakness.
While exploiting CVE-2021-4034 should leave traces in log files, security experts note that it's also feasible to exploit the bug without leaving signs.
CISA has added seven other bugs to its KEV Catalogue in addition to the PwnKit flaw. They include an exploited Mitel VoIP zero-day (CVE-2022-29499) and five iOS flaws (CVE-2020-3837, CVE-2019-8605, CVE-2018-4344, CVE-2020-9907 and CVE-2021-30983) that were recently discovered as having been abused by the Italian spyware company RCS Lab.
CVE-2021-30533, a security issue in web browsers based on Chromium, is also listed in the catalogue. This vulnerability was exploited by a malvertising threat actor going by the moniker Yosec in order to send malicious payloads.
CISA has issued a directive to all agencies that fall under the Federal Civilian Executive Branch (FCEB) requiring them to patch the newly disclosed vulnerabilities by July 18.
According to a binding operational directive (BOD 22-01) that was published by CISA in the month of November, FCEB agencies are required to defend their systems against weaknesses that are added to the KEV Catalog in order to limit the risk of known exploited bugs across US government networks.
CISA strongly encourages all organisations to reduce their exposure to cyberattacks by prioritising the timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practise, despite BOD 22-01 only applying to FCEB agencies.