Critical 0-day vulnerability in Polkit pkexec component

Description

A vulnerability in Polkit’s (PolicyKit) pkexec component identified as CVE-2021-4034 (PwnKit) is present in the default configuration of all major Linux distributions and can be exploited to gain full root privileges on the system. The issue exists within PolicyKit pkexec tool’s incorrect handling of command-line arguments.

A local unprivileged user could use this vulnerability to escalate privileges to an administrator. Example proof of concept exploitation code is currently emerging within the public domain which we will continue to monitor and update when new information becomes available. We are aware of the following proof of concept exploit code; however we would not recommend running these without performing your own due diligence;

• https://github.com/dzonerzy/poc-cve-2021-4034

• https://github.com/arthepsy/CVE-2021-403

Proof of Concept Exploit

Remediation

Vendor patches/hot fixes have been released by the respective vendors and its strongly recommended these are applied as soon as possible. A temporary mitigation for operating systems that have yet to push a patch is to strip pkexec of the SUID read/write rights with the following command:

chmod 0755 /usr/bin/pkexec

Please ensure that a review of this permission change effect would have within your environment before changing this permission.

Am I Affected?

If your OS uses policy kit and you have not updated your OS then you are likely to be affected. Updates for this issue started being issued around the 25th January 2022.The presence of policykit can be tested by checking for the existence of the pkexec binary. If your OS installs this in the standard location then the following test will show this.

$ test -f /usr/bin/pkexec && echo "pkexec exists."

Alternatively find can be used to detect pkexec installed in non-standard locations.

# find / -name pkexec -print 2>/dev/null

We continue to actively monitor the situation.

References

• https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034

• https://ubuntu.com/security/notices/USN-5252-2

• https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt

• https://access.redhat.com/security/cve/CVE-2021-4034

What kills new CISOs in their first 90 days – it’s not attackers. 

The pen test report. The risk register. The green dashboard. They feel like facts. They’re not. They’re a record of someone else’s decisions, at a point…

CVE-2026-33727 – When “Low Privilege” Isn’t Low Enough: A Pi-hole LPE Story

Pi-hole’s pihole user is low-privileged. It’s configured with nologin. It looks contained. It isn’t. Here’s how a writable file and a trusting root process combine into…

Proof of Human solves the bot problem. It doesn’t solve the people problem.

World ID can prove a real human is behind an account. It can’t prove that human hasn’t already been phished, vished, or bribed. The biggest breaches…