A trivially exploitable vulnerability has been disclosed in Polkit, a component installed by default on many Linux distributions. Successful exploits of this vulnerability would grant an attacker full root privileges on the host. Most devices in the Extended Internet of Things (XIoT) are likely affected.
The vulnerability, which Qualys has named PwnKit (CVE-2021-4034) has been in Polkit—once known as PolicyKit—for more than a decade. Polkit manages system-wide privileges on Linux operating systems and oversees how non-privileged processes communicate with privileged ones.
This memory-corruption issue likely impacts most devices in the XIoT, including industrial OT, enterprise IoT, and medical IoT equipment. PwnKit is a local privilege escalation vulnerability, meaning that an attacker would already need to have access to a vulnerable host in order to exploit the vulnerability.
Users who manage any Linux devices should determine their exposure and patch immediately. Qualys said it sent patches to affected distributions on Jan. 11; If a patch is not yet available for a particular Linux distribution, Qualys suggests as a mitigation that users remove the SUID-bit from Polkit's pkexec function.
In its advisory, Qualys said it was able to trigger the vulnerability in Polkit's pkexec function and gain root access on default installations of Ubuntu, Debian, Fedora, and CentOS. It's likely that other distributions are vulnerable, and exploitable.
Team82 has confirmed it was able to trigger the vulnerability, see the video below.
Qualys said it is unaware of public exploits. Qualys did not publish its proof-of-concept exploit because of the ease of exploitation involved with attacking this vulnerability. Others, however, have already reverse-engineered the bug and published PoCs online, indicating that more malicious exploits may not be far behind.
Users can find artifacts of exploits in logs, but Qualys cautions that the vulnerability may be quietly exploited as well.
"This exploitation technique leaves traces in the logs (either "The value for the SHELL variable was not found in the /etc/shells file" or "The value for environment variable […] contains suspicious content")," Qualys said in its advisory. "However, please note that this vulnerability is also exploitable without leaving any traces in the logs."
The disclosure of PwnKit is going to further inflame discussions about the security of open source software. Recently, the White House gathered tech leaders to discuss the issue in the context of the Log4j vulnerability in Apache. Log4j is a logging framework native to Apache that was ubiquitous across IT and operational technology environments. Multiple vulnerabilities and exploits surfaced post-disclosure, and the Biden administration expressed concern over the use of open source components in software used in critical infrastructure.
The issue when vulnerabilities such as PwnKit and Log4j arise is that users may be blind to these components running inside commercial or homegrown applications, so they may not understand their exposure when critical vulnerabilities are disclosed.
The Biden administration, last year in an Executive Order signed in May of last year, mandated that the federal government take steps to beef up the security of the software supply chain. The EO was in reaction to the SolarWinds compromise of late 2020, which demonstrated the fragility of the supply chain and reinforced the need for secure software development practices and oversight of products used by the federal government and within critical infrastructure.
One critical component of the EO was the need for a software bill of materials (SBOM) to be made available for each product used by the federal government. SBOMs describe the software components used in the development of a commercial product.
The availability of such a list would remove the mystery as to whether components such as Polkit, Log4j and others are running under the covers. Asset owners and IT administrators responsible for vulnerability management would immediately understand their exposure and be able to prioritize patching and other mitigations.
CWE-121 STACK-BASED BUFFER OVERFLOW:
Affected Vertiv products contain a stack based buffer overflow vulnerability. An attacker could exploit this vulnerability to gain code execution on the device.
Vertiv recommends users take the following actions:
CVSS v3: 9.8
CWE-288 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL:
Affected Vertiv products do not properly protect webserver functions that could allow an attacker to bypass authentication.
Vertiv recommends users take the following actions:
CVSS v3: 9.8
CWE 287: Improper Authentication
An Improper Authentication vulnerability exists in Danfoss AK-SM8xxA Series, resulting in an authentication bypass. Install the latest patch with number 4.2 to remediate this vulnerability. This flaw could enable an attacker to generate a web report that discloses sensitive information such as internal IP addresses, usernames, store names, and other sensitive information.e
CVSS v3: 8.2
CWE-798 USE OF HARD-CODED CREDENTIALS:
In Optigo Networks ONS NC600 versions 4.2.1-084 through 4.7.2-330, an attacker could connect with the device's ssh server and utilize the system's components to perform OS command executions.
Optigo Networks recommends users implement at least one of the following additional mitigations:
CVSS v3: 9.8
CWE-78 Improper Neutralization of Special Elements used in an OS Command:
A remote unauthenticated attacker who has bypassed authentication could execute arbitrary OS commands to disclose, tamper with, destroy or delete information in Mitsubishi Electric smartRTU, or cause a denial-of service condition on the product.
Mitsubishi Electric Europe B.V. recommends that users take note of the following mitigation measures to minimize the risk of exploiting this vulnerability:
CVSS v3: 9.8